Embed Size (px)
Citation preview
Comprehensive Advanced Threat Defense June 2014
WPv0614
PAGE 1
Introduction
The hot topic in the information security industry these days is “Advanced Threat Defense” (ATD). There are many definitions, and plenty of marketing hype and spin on the topic, but it’s the science – and the art – of defending yourself against sophisticated, persistent adversaries who can get past (or have already gotten past) your security defenses.
We like to define advanced threat defense in terms of the adversary rather than the attack technique used to remind ourselves that what we are really up against is a person or, more likely, a group of people who are specifically targeting your organization, and will use whatever attack vectors and techniques necessary to achieve their objectives.
This paper describes a comprehensive, network-‐based approach to Advanced Threat Defense.
WPv0614
PAGE 2
The Threat Lifecycle
It is important to understand that advanced, targeted attacks are not instantaneous events. They are complex processes with multiple phases that occur over a period of time. As shown in Figure 1, we break the threat lifecycle down into four major phases:
1. Infiltration
2. Command and Control Communication
3. Lateral Propagation
4. Data Exfiltration
Threat Lifecycle
Figure 1.
WPv0614
PAGE 3
Infiltration Phase
If the adversaries are external threat actors, they normally need to get access to, and then gain control over, one of your organization’s computing assets. There are many ways they can accomplish this. They could use a classic server-‐side exploit technique such as SQL injection or a fuzzing attack. They could guess, buy, or hack or crack one of your users’ VPN login credentials (username and password). Or they could use social engineering to exploit a user’s trust and naivety to snare login credentials. They may launch a spear-‐phishing attack to deceive one of your users into visiting a malicious website that will exploit their browser or open a document that will exploit an application on their computer or mobile device.
If the adversary is an internal user (a “trusted insider”), they normally do not have to go through the infiltration phase, as they already have authorized access to your computing and network resources. This ancillary infiltration case, “Insider Threat”, is also detailed in Figure 1.
Command and Control (“C2”) Communication Phase
Once an external adversary has gained unauthorized access and control (“compromised”) over one of your computing assets, “Victim 0”; they will typically exercise complete remote control over that compromised asset. The attacker will normally do that by using remote administration utilities that are already available on the compromised asset or by installing a “back door” program such as a remote administration trojan (RAT) on the asset, which they will then use to communicate with the asset. This will result in command and control (C2) communication between the compromised asset and the remote C2 server. This communication is bi-‐directional, with beaconing messages going from the victim to the server and commands being issued from the server to the victim.
Lateral Propagation Phase
Attackers are ultimately interested in valuable data assets to extract information from. So after they have successfully taken control of “Victim 0”, they use that device as a starting point to find and infiltrate other connected assets inside your network. They move laterally from network device to network device, compromising more assets; escalating privilege; looking for and staging sensitive, valuable or classified information; and installing more back doors so they can persist in your environment even if you identify and clean up some of the compromised assets.
Data Exfiltration Phase
Once the attackers have found and staged the data they want to steal, they begin to send it out of the network. They will often try to “obfuscate” the data by encapsulating, compressing, transforming, or encrypting it in some way. Then they will send it out of the network, either by “hiding it in plain sight” on standard outbound network channels such as web (HTTP) and email (SMTP), or by trying to circumvent your standard network security systems (such as web and email proxies) by sending it out of the network using non-‐standard ports and/or protocols.
WPv0614
PAGE 4
The Three Dimensions of Network Threat Intelligence
There are three components you must understand when you are looking for threats in your network:
• Content
• Channels
• Locations
Content – What information is being transferred?
“Content” is the information that is flowing over the network.
Examples of “content” include web pages, files, and email attachments. It is important to understand that content and packets are not the same thing. In most cases today, the “content” is not visible in the packets because it has been buried under multiple levels of encapsulation, encoding, embedding, packing and/or compression. Because most targeted attacks these days involve content-‐level threats, in the infiltration phase as well as in the data exfiltration phase, it is very important that a network-‐based ATD system be able to extract, decode and analyze the content traversing the network no matter how deeply or recursively embedded it is. This applies to both inert (non-‐executable) and active (executable) content objects.
Channels – How is the information being transferred?
“Channels” are the way in which information is being transferred over the network.
Channels include the attributes of the network ports, protocols, and applications that are being used. Channels define the “context” in which information exchange occurs on the network, and that contextual awareness is often critically important in being able to distinguish “normal” network activity from abnormal, suspicious, or malicious network activity.
Locations – Where/who is the information coming from and going to?
“Locations” are everything that relate to the source and destination of the information that’s traversing the network.
Examples of “locations” includes not just network-‐, protocol-‐, and application-‐level source and destination information such as TCP/UDP ports, IP addresses, DNS domains, and URLs, but also organizational-‐, reputational-‐, and identity-‐based attributes of the sources and destinations of information.
WPv0614
PAGE 5
Threat Detection, Prevention, and Incident Response Requirements
A network-‐based Advanced Threat Defense system should serve two primary roles:
1. Threat Detection and Prevention role protects you from internal and external attacks.
2. Incident Response role helps automate and accelerate your incident response cycle.
In the Threat Detection and Prevention role, the key actions for an ATD are to “detect” and “prevent” a whole spectrum of malicious activity, regardless of the tactics, including phishing, exploits, malware, command and control communication, lateral propagation, data staging, data leakage, and exfiltration, among others. The key technical requirement here is that the ATD system must be able to identify threats in real time – as they occur – and be able to take a unilateral prevention action when it sees them. This unilateral prevention capability is important because, in many cases, the ATD system is the only one in the network security infrastructure that can identify the threat with sufficient precision to be able to block it without disrupting normal network traffic.
In the Incident Response role, the ATD system must be able to discover compromised systems, investigate live and dormant incidents, and contain targeted attacks before they result in data loss. Implicit in the previous statement is the fact that no ATD system can guarantee that you will never be compromised by an advanced adversary. The key technical requirement in this role is that the ATD system must have some form of “historical network memory” and be able to search, query, and analyze the recorded information. This gives the incident responders the ability to “go back in time” and look for things that the system did not know were malicious at the time that they occurred.
WPv0614
PAGE 6
Comprehensive Network-‐Based Advanced Threat Defense Capabilities
A comprehensive network-‐based ATD solution can be broken down into three critical capabilities:
• Inbound Threat Protection
• Data Theft Protection
• Network Security Analytics
Comprehensive Advanced Threat Defense
Figure 2.
WPv0614
PAGE 7
Inbound Threat Protection
The industry may lead you to believe that this is only about advanced malware protection; however, a truly comprehensive ATD solution provides protection against targeted persistent attacks at each phase of the threat lifecycle on the network: before they are downloaded, when they are transferred within the network, to when they are installed on an endpoint. A truly comprehensive ATD solution protects you with these features:
• Advanced Malware Detection – analyzing scores of inbound threats per second as they flow over the network, maintaining a high malware detection rate with extremely low false positives.
• Rich Malware Execution Forensics – detailed description of what the malware did when it executed in the virtual execution environment such as registry, file system and operating system changes, network call-‐out behavior, etc.
• Real-‐Time Threat Prevention – analyzing network traffic at multi-‐gigabit speeds, providing real-‐time discovery and prevention.
• Automated Threat Intelligence – delivering a continuous stream of finely curated reputational threat intelligence for automatic consumption; a key component in enabling the solution to quickly identify suspicious and malicious activity.
• Flexible Policy (Rules) Engine – operationalizing known advanced threat indicators using open industry standards, like YARA.
• Wire-‐Speed Performance – analyzing gigabits of network traffic in real time, providing visibility, analysis, and protection from advanced threats before they harm your enterprise.
Data Theft Protection
A truly comprehensive ATD solution will directly detect and prevent the unauthorized flow of sensitive, valuable, or classified information out of the network. The technical requirements include:
• Data Exfiltration Prevention – using sophisticated rules and techniques to prevent the theft of sensitive and confidential data out of your network.
• Intellectual Property Protection – flexible and powerful policy engine to match the characteristics of your intellectual property and block any unauthorized transfers of this data.
WPv0614
PAGE 8
• Compete Content Visibility – delivering network visibility, analysis, and control over all protocols, applications, and file types to defend against advanced threats and prevent data theft in real time.
• Flexible Data Profiling – Through a flexible, powerful policy engine, you can define the characteristics of your most valuable data to identify sensitive data and keep it from leaving your network.
• Actionable Alerts – alerts provide comprehensive, actionable information allowing you to rapidly triage and remediate threats.
Network Security Analytics
A comprehensive ATD solution will provide a historical record of all network activity so you may “go back in time” to look for things that you didn’t know were bad at the time that they occurred. There are many use cases for this capability across all phases of the threat lifecycle. The technical requirements include:
• Full Metadata Capture – collecting details (metadata) about every network transaction. This metadata is stored as historical network memory and leveraged to discover past incursions.
• Multi-‐dimensional Analysis – analyzing network content against multiple sources of threat intelligence including reputation feeds, custom policies, and threat prevention policies that are updated frequently.
• Advanced Visualization – delivering dynamic summaries and trends of your enterprise, by host, alerts, location, and protocols to understand your organizations threat landscape.
• Customizable Reporting – standard and customizable reports on the rich metadata collected over time.
• Correlated Alerting – correlating alert data for investigation with other transactions potentially related to the threat.
A comprehensive, network-‐based ATD system should combine all three capabilities – Inbound Threat Protection, Data Theft Protection, and Network Security Analytics – in a seamless, tightly integrated system, under a single management framework.
WPv0614
PAGE 9
Integration with Endpoint Security Systems
The main job of a network-‐based ATD system is to protect the enterprise’s computing assets (endpoints) – at the network level – from being compromised. The primary way it does this is by decoding and analyzing the network traffic that flows to and from those endpoints, looking for indications of threat and/or compromise within the contextual information that is available on the network. It can also simulate endpoint execution environments – by incorporating emulators and/or full virtualized endpoint execution containers (“sandboxes”) for example.
However, no matter how “good” a network-‐based ATD system is – it needs to have access to the contextual information that is available on the actual enterprise endpoints themselves. To do this, the network ATD system should integrate with endpoint defenses. This integration should include the sharing of contextual information about threats and/or threat intelligence.
For example, if the network ATD system sees malware inbound to an enterprise endpoint, it does not know if the malware actually executed on the “real” endpoint. On the other hand, if there is an endpoint security solution that is monitoring and recording the behavior of all executable objects on the endpoint, the network ATD system can query the endpoint security system to determine if the malware actually executed on the target endpoint (or at other endpoints in the enterprise). If the answer is “yes”, the network ATD system can increase the severity of the malware alert and escalate its priority in the security analyst’s workflow.
Integration between Network and Endpoint ATD Systems
Figure 3.
WPv0614
PAGE 10
The Fidelis XPS™ Solution
The Fidelis XPS™ solution is a comprehensive, network-‐based Advanced Threat Defense solution consisting of four major components, as shown in Figure 4.
The Fidelis XPS Solution
Figure 4.
These components are described briefly below. For more details, see the Fidelis Solution Overview white paper.
• Fidelis Insight is a cloud-‐based aggregation of dynamic threat intelligence derived from multiple public and proprietary sources. Fidelis Insight includes content-‐, channel-‐, and location-‐based threat intelligence. It also includes a secure, high-‐capacity, virtual execution (sandbox) environment.
• Fidelis XPS CommandPost is the management system for the Fidelis XPS products and the integration point between the Fidelis XPS solution and other systems in the enterprise network security infrastructure.
WPv0614
PAGE 11
• Fidelis XPS Sensors are the “workhorses” of the Fidelis XPS solution. They are typically deployed at boundary points on the enterprise network (e.g. at Internet or MPLS access points, in front of the enterprise fileshares, etc.). They can be deployed “in line” with the network traffic or “out of band” where they receive a copy of the traffic from a network TAP or a switch SPAN port. There are several different types of sensors that are designed for deployment at different points in the physical and logical network infrastructure. The sensors reassemble, decode, and analyze the traffic that traverses the network boundary in real time using Fidelis’ patented Deep Session Inspection® technology, which gives them deep visibility and control over the protocols, application, and content objects that are flowing over the network. This enables the Fidelis XPS sensor to detect threats that are not visible to other network security systems. The Fidelis XPS sensors include an integrated Malware Detection Stack that identifies malware objects flowing over the network using a combination of rule-‐based behavioral analysis, static and dynamic malware detection technologies. The malware detection stack uses a high speed, multi-‐threaded architecture that can analyze hundreds of objects per second (per sensor). When a sensor detects a session that triggers a threat detection rule, it takes an action on the session. The action is configurable at the rule level and can be a record-‐and-‐alert action or a prevention-‐and-‐alert action. The sensors also extract rich network-‐, protocol-‐, application-‐, and content-‐level metadata from each and every network session that occurs on the network – whether the session triggers a threat detection rule or not – and sends the metadata to a Fidelis XPS Collector system (if deployed).
• Fidelis XPS Collector is a database for rich session metadata extracted from all network sessions by the Fidelis XPS sensors. The Collector stores session metadata from one or more Fidelis XPS sensors in a high-‐speed database and makes it available to analysts via a query and search interface on the Fidelis XPS CommandPost. The Collector supplies historical network memory at a much lower total cost of ownership than a full packet capture system. The Collector corresponds to the “index” component of a full packet capture system, but the Collector’s index is much “richer” because of the deep protocol, application, and content decoding capabilities of the Fidelis XPS sensors that extract the metadata – the richer the index, the higher the probability of detection.
WPv0614
PAGE 12
Fidelis XPS Solution Architecture
The Fidelis XPS products are purpose-‐built for advanced threat defense, and have the following specific architectural capabilities:
• Broad visibility over all network ports, protocols, and applications
• Deep visibility into encapsulated, encoded, embedded, compressed, obfuscated content
• Multi-‐dimensional dynamic threat intelligence
• Historical and comprehensive network memory
• Static and dynamic malware detection and analysis
• Data theft/exfiltration detection and prevention
• Open policy, rules, and threat intelligence engine
• Scalability up to 2.5+ Gbps for each stand-‐alone appliance (up to 20+ Gbps per blade center chassis)
• Unilateral real-‐time prevention (blocking) capability
• Integrations with leading-‐edge endpoint-‐based ATD systems
WPv0614
PAGE 13
Fidelis XPS – A Comprehensive Network-‐Based ATD Solution
Visibility and Control over the Entire Threat Life Cycle
The Fidelis XPS solution includes technologies and threat intelligence that give visibility and control over each of the four phases of the threat lifecycle (infiltration, command and control communication, lateral propagation, and data exfiltration). Experience shows that this “broad spectrum” approach significantly increases the probability of seeing the threat before it does irreparable harm to the targeted organization.
Multi-‐Dimensional Dynamic Threat Intelligence
Fidelis XPS’ Deep Session Inspection technology, coupled with the dynamic threat intelligence available in Fidelis XPS Insight, gives the Fidelis XPS solution a unique ability to operationalize all three dimensions of network threat intelligence (content, channels and locations) on network traffic. This multi-‐dimensional visibility also increases the probability of detecting an advanced threat.
Threat Detection/Prevention and Incident Response
The architecture of the Fidelis XPS solution, and in particular its unique combination of real-‐time detection and prevention capability with both selective and non-‐selective network memory, enables it to add value both in threat detection and prevention and in incident response roles.
Integrations with Endpoint Advanced Threat Detection Systems
The Fidelis XPS solution has integrations with leading edge endpoint-‐based ATD systems such as Verdasys Digital Guardian and Bit9 + Carbon Black. These integrations give the Fidelis XPS system access to contextual information that is only available on the endpoint itself.
All Three Critical ATD Capabilities in a Single, Tightly Integrated System
One of the most distinguishing characteristics of the Fidelis XPS solution is that it integrates all three critical capabilities of network based advanced threat defense (advanced malware protection, data exfiltration protection, and network forensics and analytics) in a single system under a unified management framework, as shown in Figure 4.
The benefits of having all three of these capabilities seamlessly integrated into a single system, under a unified management framework include: higher probability of detecting or preventing threats before they result in serious damage; lower incident response costs due to fewer incidents, faster containment and remediation, and lower post-‐incident charges such as legal, forensics, etc.; and lower network security infrastructure costs as a result of having fewer boxes, lower maintenance, and less analyst oversight.
WPv0614
PAGE 14
About General Dynamics Fidelis Cybersecurity Solutions
General Dynamics Fidelis Cybersecurity Solutions provides organizations with a robust, comprehensive portfolio of products, services, and expertise to combat today's sophisticated advanced threats and prevent data breaches. Our commercial enterprise and government customers around the globe can face advanced threats with confidence through use of our Network Defense and Forensics Services, delivered by an elite team of security professionals with decades of hands on experience, and our award winning Fidelis XPS™ Advanced Threat Defense products, which provide visibility and control over the entire threat life cycle.
