With the increasing demand for the latest and greatest technology, security is more of an afterthought, and thus gives a hacker a head start.
Richard Stiennon’s There Will Be Cyberwar: How The Move to Network-Centric War Fighting Has Set The Stage For Cyberwar highlights the disparity of the speed at which technology emerges with the speed at which security for the technology is developed. Stiennon highlights that the rush of the U.S. military into network-centric warfare has led to the dilemma of playing “catch up” with security to protect the latest technology. What if military technology turns friends into foes, navigation leads pilots and captains astray, or missiles, guns and weapons do not fire when employed. Stiennon brings to light what the future will hold for warfare and the warfighter. Here is chapter 7 from the book, which focuses on threat management.
Chapter 7: Threat Management
Consider if the US president’s morning intelligence briefing was focused on risk management.
It would have to take into account the 40 or so US facilities that are involved in the production of nuclear weapons. Then there may be the 250 or so diplomatic missions around the world, and of course hundreds of US military bases, and maybe a breakdown of the 17 designated critical infrastructure sectors, not forgetting parks and national monuments and yes, movie studios.
Ridiculous, of course, because a true risk management report would summarize all of that information into a simple score. A vast army of risk auditors would be engaged to come up with a uniform scoring system and every “asset” would be given a score which would be weighted and rolled up into a dashboard that gave a single-pane-of-glass view into overall risk every day.
But if such a thing were even possible, what would it have shown the day before the USS Cole was attacked? Or on Sept. 10, 2001? Would it have acknowledged the risk of the rise of ISIS? Or Russia moving into Crimea? Global affairs are subject to Black Swans.
Of course a POTUS intelligence briefing is not about assets; it is about threat actors. Intelligence is gathered about their intentions, capabilities, and movements. Decisions are made based on threats. Real and present dangers are identified and resources are deployed to gather further intelligence (detect), deny, disrupt, delay, degrade, deceive or destroy the threat actors.
That is the basis of threat management, an approach that is proving to be much more effective at reducing the losses from targeted attacks. Enterprise IT security is moving that way with the creation of a new category of cyber defenses. At one level are startups that monitor threat actor activities globally. Companies like iSIGHT Partners infiltrate hacker and cybercriminal discussion forums and create play books of their methodologies and tools. Organizations apply those play books to their own environments. They monitor their networks for suspicious activity that matches the playbook. They subscribe to threat feeds that provide data on Indicators of Compromise (IoC) that can be matched with network traffic and endpoint infections. Threat feeds are generated by research companies that usually operate a global network of honey pots. Honey pots are computers and email accounts that are put on the Internet and are the recipients of numerous attacks. AV companies have long operated honey pot email accounts to supplement the intelligence they gather from their millions of users. Email attachments received by the honey pot accounts are opened, any embedded links are visited and attachments are allowed to execute. The intelligence from these attacks can include new malware samples, source IP addresses of spammers and destination IP addresses of C&C servers. That data is collated and streamed to subscribers who in turn monitor traffic and endpoints for any indication that they are under attack.
The ecosystem of that management has grown dramatically since the APT1 report from Mandiant set the industry in motion. That report, for the first time provided convincing detail that Chinese PLA operatives were engaging in full time cyber espionage. Detecting the attacks quickly and responding effectively has become the focus of most of the new security vendors.
The threat research community has created standards to help communicate the key Indicators of Compromise (IoC) they discover. STIX and TAXII are the protocols for communicating IP addresses, domains, and MD5 hashes (digital fingerprints) of malware and malicious files. There are open source and commercial subscriptions of such feeds that are quickly moving to STIX and TAXII.
Vendor such as ThreatStream and BrightPoint have even created threat intelligence management platforms that consumes multiple feeds, normalizes them, and then facilitates the integration with security tools such as SIEM to determine if any of the threat intelligence generates a “sighting,” an alert that the enterprise is under attack. In the other direction, BrightPoint allows their customers to join “trust circles” within which they can share information and determine if a particular threat indicator has been sighted by other community members.
Security Analytics (SA) is becoming an important capability in threat management. SIEM data and network traffic is examined, parsed, and analyzed to recognize when an attack is under way. Early practitioners of SA had to use various labor-intensive tools to do these functions, but new companies like Prelert, Sqrrl, and Lightcyber, are automating the process.
While risk management demands that an organization track an infinite exposure, threat management can focus on several categories of actors:
Insiders take advantage of their authorized access to computers, networks, and applications for their own advantage. They may be the “disgruntled employee” who merely wishes to cause damage. Take for example Jason Cornish, who had set up mission-critical virtual machines for Shionogi, a subsidiary of a Japanese pharmaceutical company that has offices in New Jersey and Georgia. When his friend was terminated Cornish quit the company, drove down the road to the nearest McDonald’s and logged in over its free WiFi to erase those virtual servers. Thanks to a remarkably effective FBI, it did not take long to trace the activity to the AT&T WiFi access point at the McDonald’s and confirm that the disgruntled insider had purchased a Big Mac with his credit card shortly before the destruction.
Addressing the insider threat has always been one of the primary purposes of computer and network security. Remember IBM’s RACF? Yet, most organizations rely on written contracts and policies or implicit trust to prevent employee and contractor abuse.
Network monitoring and employee activity monitoring, which usually entails an agent deployed to desktops to record all actions, should be deployed to deter insider misbehavior. A robust Identity and Access Management (IAM) solution will also help. Strong authentication to establish identity and then the ability to revoke access when an employee leaves or a contractor is no longer needed should also be mandated.
Hackers get a lot of press. They tend to target vulnerable systems just to demonstrate their hacking prowess. Countering hackers is the realm of one aspect of traditional risk management. Frequent external scans for vulnerabilities and an active effort to patch those vulnerabilities is the best defense. Putting a firewall and other defenses in front of Internet-facing assets is another requirement. The principle of being uninteresting to a hacker by not having easily exploited vulnerabilities applies, much as one discourages neighborhood burglaries by installing motion sensing floodlights and good locks.
Cyber criminals are the primary concern of any organization that handles money. Banks, mortgage brokers, stock trading desks, and even the CFO or administrator responsible for wire transfers at a small enterprise, are all targets. Being familiar with trends and immediate activities of cyber criminals may be enough warning to bolster defenses. Just as TJX could have learned from the Lowe’s attack via Pringles-enhanced WiFi, Target Corp could have seen the attack coming by monitoring the rise of PoS malware.
Nation-stateattacks against corporations, universities, and government research labs can be traced back decades, but they began to be common in 2004 with the discovery of multiple breaches by Shawn Carpenter, an IDS analyst at Sandia Labs in New Mexico. Carpenter noticed unusual network activity in his logs and traced the hacks back to China. Poking around the C&C server he found numerous documents belonging to other targets of interest. Working with the FBI as a confidential informant over the next year he helped investigate a slew of attacks that the FBI dubbed Titan Rain.
Massive breaches have been recorded. The exfiltration of weapons systems design from the DIB, infiltration of DC based think tanks, breaches of law firms, and penetration of earth resource companies like Rio Tinto in Australia are all examples of nation-state actions.
For sophistication, nothing comes close to Operation Olympic Games (Stuxnet) that successfully disrupted Iran’s nuclear refining program.
Countering nation-state actors requires the highest level of cyber defenses. Luckily, an organization that can effectively discover and disrupt or deny the activities of a well-funded nation-state cyber operation will have no problem countering attacks from other threat actors.
The technologies and methodologies for countering targeted attacks, be they from hackers, cyber criminals, or nation-states are evolving rapidly. Much of the methodologies have been independently derived at highly targeted organizations like Lockheed Martin, RSA (the security division of EMC), major banks, and new vendors.
Despite years of investment in multiple layers of security defenses, every organization is still wide open to targeted attacks. It is practically impossible to stop all attacks. Even Next Generation Firewalls, complete alerting and logging collected in a SIEM, and universal patch management and vulnerability discovery has proven to be ineffective against threat actors who are motivated, skilled and determined.
In an environment of constant unrelenting attacks, network packet capture, net flow recording and advanced security analytics are needed to discover the attack in progress and provide the intelligence to minimize the damage done. Advance knowledge of the reconnaissance phase, early probes of vulnerable systems, suspicious lateral movement, and attempted exfiltration can give the cyber defense team the time they need to thwart the attack and prepare for the follow-on attacks.
Security Analytics is the application of security intelligence to large data sets, usually of full packet captures or net flow data.
Security intelligence is any information that indicates an attack in progress or already successful. It may also include knowledge of attacker playbooks of the type iSIGHT Partners publishes.
Because every attacker has a vast set of tools available to him there are many more types of advanced attacks than attacker. Yet in the last three years some common methodologies have arisen. This category of attack, often called Advanced Persistent Threats (APTs) has become so common because it is so effective. The most critical differentiator from the malware, exploit, and random attacks of the last decade is the targeting. An attacker, be it cyber criminal, hacktivist, insider, or national spy agency, has pre-determined that your organization has information of use to them. It could be credit card information residing in Point of Sale terminals, as in the recent Target and Home Depot breaches. It could be designs of weapon systems, as in the exfiltration of F-35 Joint Strike Fighter data from the Defense Industrial Base. Or it could be the secret seeds to one-time password tokens, as in the successful attack against RSA, the security division of EMC.
To protect a network against a known piece of malware one simply updates AV systems with the latest signature databases or installs the latest patches. But to protect against a known attacker the requirements are much more involved.
Once an attacker has decided that your data is needed they continue to come back day after day. If your defenses are too strong, they attack your suppliers and trusted partners, such as an outside legal counsel. If you block them at the gateway, they come through an executive’s laptop.
Security Analytics is big data science applied to full packet capture data, net flow, and event logs. The state of the art is to capture all traffic from each network segment, net flow data from routers and switches, and event information from firewalls and endpoints and subject it to complete analysis. The taps are passive in that they do not add a bump on the wire. The analytics is done offline. The overall technology is evolving rapidly with constant improvements that allows drilling down to the individual packet, looking at all traffic to get a big picture, and consuming external sources of intelligence such as Indicators of Compromise (IoC).
Scale, speed, and ability to apply security intelligence and correlating disparate events will be the determining factor in the success of SA tools.
Today an attack is run by human attackers sitting at remote computers. The defenders also need to constantly be surveilling their own networks to detect, deter, disrupt and block attacks.
Security Analytics has two components: a sensor deployed to a network segment for packet capture or net flow data generated by network devices such as routers, switches, and firewalls, and an analysis engine for the heavy lifting. The analysis engine parses and indexes all of the captured network traffic. An interface provides all of the analysis functions. A dashboard provides a high level view. It is when you start to mine the data that the intelligence magic is employed. Drill down to a single probe of the network over an unused port. Pivot to look at all other probes from the same source. Look at all similar activity. Determine when a reconnaissance phase shifted to a concerted attack. Find the queries to the Active Directory server. Follow those to the most recent machine touched by the domain admin’s account (attackers can guess the domain admin just from activity logged in AD). Find the pass-the-hash attack against the database server. Slam the doors on the intruder.
(Pass-the-hash is an extraordinary weakness in Windows environments that must be explained. All Windows access is controlled through Active Directory, a simple directory of users that assigns privileges. The Domain Admin has the greatest privileges and can usually perform any activity on any machine, such as change policies, passwords, add or remove software, and of course read any file. When any administrator logs into any Windows machine she provides a password. A numerical hash of the password is created and looked up in a hash table in memory. If it is not in memory it is retrieved from Active Directory and compared to the hash of the password provided. If the hashes match the administrator is authenticated and allowed on. If the administrator then wants to login to another machine somewhere else on the network she does not have to re-input her password. The machine she is on “passes the hash” of her password to the next machine, which accepts it! An attacker who has gotten a foothold on the Active Directory server can see all login activity, make a few guesses about which machines the admin has recently visited, go to those machines, retrieve the hash, and use that to gain access to any machine on the network. In 2014, an Israeli startup, Aorato, created a defense against these pass-the-hash attacks and within months Microsoft had acquired it. So it is likely that there will eventually be a solution for this major avenue of lethal lateral movement.)
There are three import features of a security analytics system. Scale, the ability to replay traffic, and an intuitive interface for data mining.
A single, fully saturated gigabit network, can generate 10.8 terabytes of data every day. An organization may need to retain 30-60 days of packet capture data to ensure that they have not been surveilled or compromised by advanced targeted attacks. Security analytics tools must be able to quickly replay hundreds of terabytes of data as new intelligence is available on threats. In practice, the scanning engine is updated, often weekly, whereupon the captured data is replayed and analyzed to catch new indicators of compromise or connections to known hostile IP addresses or domains.
Passing network traffic through an analysis engine is much like running a robust IDS tool in batch mode. But IDS has historically been a noisy generator of alerts requiring extensive tuning to reduce the volume. The alerts themselves create a data management issue that has been addressed by Security Information and Event Management (SIEM) tools. While modern SIEM tools have graphic interfaces that display long lists of alerts, stack ranked on “severity,” they are little more that spreadsheets that require extraordinary amounts of time to address the thousands of high priority alerts generated. And, because IDS systems do not capture traffic, they typically indicate something happened without collecting the data to determine what happened.
Security analytics tools provide the ability to investigate network activity based on time-stamped data or other correlations. The ability to visualize data in terms of threats, sessions, protocols, streams, and files, makes network forensics possible and practical.
Security Analytics is evolving rapidly. First generation systems applied filters at the collection sensor to reduce the total amount of data being stored. Many so-called network recorders, designed to be able to replay sessions for troubleshooting or monitoring employee online behavior, evolved into threat analysis tools. Full packet capture for threat detection is relatively new. As the market grows for security analytics innovations will address these critical needs.
Realtime Security Analytics is needed to watch attacks while they are in progress. Experienced SA practitioners are becoming familiar with the deep dive data mining from today’s SA tools but want to apply that same ability to understand packet flows in real or near real-time. Replaying legacy traffic against new intelligence will always be important, but as attacks become more automated the time required to react effectively will shrink.
Arbor Networks Pravail Security Analytics and RSA Netwitness are two vendors that have created strong SA tools. Lancope is an Atlanta-based company that focuses on security analytics of Sflow data. Sqqrl is a startup created by former NSA analysts who have taken the NSA’s big data analytics tools that the Software Assurance Directorate has made open source.
Automated response will be required to shun easily identified attack vectors or even completely anomalous behavior. While the industry has resisted connecting the plumbing between detection and protection devices the time is rapidly approaching when this will be required, especially for critical systems that can easily be disrupted by simple attacks such as manufacturing, critical infrastructure and medical systems.
Security analytics is the most powerful tool available to detect and counter today’s APTs, which are characterized by identifiable phases of attack: recon, probing, payload delivery, command and control, and exfiltration. So far there is only one example of modern autonomous attack capability, dubbed Olympic Games or Stuxnet. Countering an attack that could be delivered and successfully executed in minutes instead of days will challenge all modern security defenses. Security Analytics is the precursor to future tools that will be designed to recognize and deflect autonomous attacks.
Security Analytics is one of the two fastest growing product categories in security. The other is sandboxing for advanced malware detection. As executables are delivered via email or direct download from websites they are “detonated” in a virtualized environment that is configured to detect malicious behavior like privilege escalation, command and control communication, or downloading of more malicious payloads. This is required because the most highly targeted attacks involve unique malware that is customized for the defender’s systems. Often new zero-day vulnerabilities are exploited. Traditional AV would not identify these. Every organization will have to deploy some sort of security analytics coupled with network traffic monitoring and sandboxing. The largest IT departments in highly targeted environments, like banks and defense contractors, are already doing some sort of security analytics and advanced malware detection. The enterprise is hiring the talent now to be able to deploy and use security analytics. Smaller organizations will have to use managed service providers because they lack the staff. There will be standalone tools, cloud tools and capabilities built into network security platforms. Scale, speed and ability to apply security intelligence will be the determining factor in the success of these tools.
Security analytics is an emerging requirement in the ongoing arms race with threat actors. It has the advantage of applying to all threat actors. Vulnerability scanning and effective patching may have been the correct approach, even sufficient, back when the primary threat actors were hackers looking for vulnerable systems they could exploit. But sophisticated attackers need to be countered with sophisticated technology, people, and processes.
The Surveillance State represents the final threat actor. Beyond foreign state agencies, it turns out that one’s own country may be spying on them. The difference between a foreign state actor and a local state actor is jurisdiction. One’s own country may have the backing of law. The state can demand that an organization opens its networks to surveillance. Legal demands such as National Security Letters can be employed. These questionable instruments bind the recipients from even disclosing that they have received such a demand.
Legal issues aside, the remarkable capabilities of the NSA and GCHQ that have been revealed by the stream of revelations in Snowden documents paint a picture of a truly sophisticated and determined digital adversary. The one advantage that the surveillance state has over any other attacker is access to the backbones of the service providers. They can install listening devices at the telephone company’s central office (CO) and intercept all traffic. For decades it was assumed that it would be very difficult, for an attacker to intercept communications at the CO. An attacker would have to infiltrate the telecom provider, install equipment, and then maintain the presence of it. Telcoms have good physical security in their COs that would most likely prevent the attempts of cyber criminal gangs, or foreign nations from doing so.
In 2006 it was revealed by whistleblower Mark Klein that the San Francisco CO of AT&T had indeed been compromised by the NSA, which installed Narus packet capture gear in its San Francisco data center (Room 641A), which was capable of monitoring billions of bits of Internet traffic a second, including the playback of telephone calls routed on the Internet, in other words, surveillance on an unprecedented scale.
The activities of the Tailored Access Operation of the NSA, as revealed in the ANT catalog, paint a picture of astounding capabilities to infiltrate networks, install back doors on equipment, use close proximity to eavesdrop, and maintain persistence.
Threat management comes down to understanding the intent of an attacker and taking steps to thwart them. The most advanced practitioners of threat management are able to sort attacks into campaigns. Similar methods, tools, and other indicators, are associated with a campaign. The defenders can track a campaign over months and it is hoped continue to counter it as the attacker uses more and more sophisticated evolutions. The attackers may start with a simple probe of a network, or send a clumsily crafted email with a malicious attachment. As they fail to gain a foothold they “up their game.” They may get better at crafting those emails, to the point where they appear to come from the CEO to the CFO asking for instructions on how to execute a wire transfer. They may use zero-day vulnerabilities and new exploits. Ultimately they could bribe or coerce the information they seek from an employee.
Most of the techniques outlined here require human monitoring and intervention to take action. As more organizations become better defended the attackers will start to automate their attacks. We have seen what this looks like; it’s Stuxnet, a completely autonomous attack. Once Stuxnet was released it set in motion a series of actions that accomplished a goal.
Autonomous attacks will require automated defense to thwart. Few organizations are ready to implement automated defense. They have several years to prepare before they will be necessary.