The Ability To Make Decisions Based On Evidence

HINGES On Your Ability To

The Ability To Make Decisions Based On Evidence

HINGES On Your Ability To

Capture It Access It Use It Kevin Keber

Corelight Regional Managerkkerber@corelight.com314-323-3440

THE WORLD RUNS ON DATA.

2

Your Private Medical Data is For Sale – and It's Driving a Business Worth Billions

January 10, 2017 by Sam Thielman

Your medical data is for sale – all of it. Adam Tanner, a fellow at Harvard’s institute for quantitative social science and author of a new book on the topic, Our Bodies, Our Data, said that patients generally don’t know that their most personal information – what diseases they test positive for, what surgeries they have had – is the stuff of multibillion-dollar business.

But although the data is nominally stripped of personally identifying information, data miners and brokers are working tirelessly to aggregate detailed dossiers on individual patients; the patients are merely called “24601” instead of of “Jean Valjean”.

The Data Science Revolution That’s Transforming Aviation.

June 16, 2017 by Sebastien Maire & Chris Spafford

Twentieth-century airplanes generated a lot of data — about the engine systems, fuel use, crew activity, and even weather systems they encountered. But airlines and airports had little to no capability to do much of anything with it, and most of the information could not even be transmitted in real time.

Today, through thousands of sensors and sophisticated digitized systems, the newest generation of jets collects exponentially more, with each flight generating more than 30 times the amount of data the previous generation of wide-bodied jets produced. While currently only about,

Just One Autonomous Car Will Use 4,000 GB of data/day

December 7, 2016 by Patrick Nelson

Two real-life, practical, semi-autonomous vehicle launches next year are an indication that the self-driving car is really happening.

Audi is expected to make its up-to-35-mph hands-free driving system available late next year in some 2018 vehicles.

And Volvo will start testing Drive Me, an autopilot that will introduce 100 Swedish XC90 owners to autonomous driving, according to an Automotive News supplement produced for the Los Angeles Auto Show last month. Two mega-strides forward. But if

CYBERSECURITY, LIKE EVERYTHING ELSE,

RELIES ON DATA.

AND SINCE VIRTUALLY ALL ATTACKS MUST CROSS THE NETWORK, HAVING COMPLETE NETWORK DATA IS CRITICAL.

2

• IDS• IPS• Firewalls • Endpoint AV • Security Analytics

• Is this real or a false alarm? • How did this happen? • How do I stop it?• How widespread is the damage?• Are any other systems at risk? • How do I stop this in the future? • Who is behind this?

Great at raising questions: Terrible at answering them. Security Alerts (!)

Network data is the ground truth …if you have complete network data.

?

TODAY MOST ORGANIZATIONS HAVE TERRIBLE NETWORK DATA,EXPOSING THEM TO SIGNIFICANT BUSINESS RISK.

2

= Slow incident response times and limited threat hunting capabilities

Option 1: capture raw traffic data

• Accessible• Actionable• Comprehensive• Cost effective• Accurate

Option 2: use firewall/IDS/server logs

• Accessible (sometimes)• Actionable (sometimes)• Comprehensive• Cost effective• Accurate (sometimes)

CORELIGHT PROVIDES COMPLETE, ACTIONABLE NETWORK DATA THAT HELPS LIMIT BUSINESS RISK

2

+ MANY OTHERS…

Corelight’s network data is:

✓ Accessible: a single source of network truth for analytics or storage

✓ Actionable: data fields designed by and for security pro’s

✓ Comprehensive: cover 35+ network protocols in granular detail

✓ Cost-effective: one to two orders of magnitude less data than full traffic

✓ Accurate: neutrally and faithfully summarizes all network events

Data Sources – How Many Can you Come Up with?

• Packet Capture• Netflow• Operating System Logs• Windows Sysmon Logs• File System• Systems Process List• DNS Transaction Logs• Antivirus Logs• IDS Alerts• Firewall Logs• Application Access Logs

• E-Mail Logs• Bro Logs• VPN Access Logs• SSL Transaction Logs• Memory Image• OSINT – Reputation Data• OSINT – Ownership Data• OSINT – Passive DNS• Malware Sandbox Results• Friendly Intelligence

NOT ALL NETWORK DATA SOURCES MAKE THE GRADE

8

IDS Alerts B B A B A+ A

OSINT - Passive DNS B A A A A+ A

VPN Access Logs B D B A A+ B+

Friendly Intelligence A A B C A B+

HTTP Transaction Logs B B B B B B

Malware Sandbox Results A+ A C A B B

OSINT - Ownership Data C D B A A+ B

OSINT - Reputation Data F C B A A+ B-

DNS Transaction Logs F C B C B C

SSL Transaction Logs F D C D B D

Grading Source: Chris Sanders, Founder @ Applied Network Defense www.investigationtheory.com

Data Source Context Pivot Fields Search Acquisition Retention FINAL GRADE

Bro Logs A A A C A A

Netflow D D A+ A A+ A-

Packet Capture (PCAP) A+ A+ C D D B-

IDS Alerts B B A B A+ A

OSINT - Passive DNS B A A A A+ A

VPN Access Logs B D B A A+ B+

Friendly Intelligence A A B C A B+

HTTP Transaction Logs B B B B B B

Malware Sandbox Results A+ A C A B B

Firewall Logs D+ D B B A+ B

OSINT - Ownership Data C D B A A+ B

OSINT - Reputation Data F C B A A+ B-

DNS Transaction Logs F C B C B C

SSL Transaction Logs F D C D B D

NarrowNetworkVisibility

BroadNetwork Visibility

BRING YOUR CYBER DEFENCES UP TO SPEED WITH BETTER NETWORK DATA HAS REAL IMPACT

2

FASTER INCIDENT RESPONSE

“The amount of time I spend

on incidents is now a fraction

of what I used to spend.”

CONTEXT FOR THREAT HUNTING

“I haven't seen a more

comprehensive tool for tracking

and pinpointing lateral movement.”

GET TO THE TRUTH FASTER

”It’s all the essential network

data I could possibly want that

let’s me get to the truth faster.”

BETTER NETWORK DATA CAN DRAMATICALLY REDUCE BUSINESS RISK

2

CORELIGHT CUSTOMER CASE STUDY:

✓ Reduced average incident response time 95%✓ Unlocked operational capacity to threat hunt ✓ Customer installed it in less than 15 minutes

“With Corelight, the ability to track

lateral movement in your network

skyrockets.”

- Sr. Security Engineer

Bro was created in an environment where:

• the threat model is complex

• ‘normal’ traffic is virtually impossible to define

• new protocols, techniques, architectures are routinely born

• the mission requires bleeding-edge performance

• no clear boundary between ‘inside’ and ‘outside’

X 100

Bro was created in an environment where:

• the threat model is complex

• ‘normal’ traffic is virtually impossible to define

• new protocols, techniques, architectures are routinely born

• the mission requires bleeding-edge performance

• no clear boundary between ‘inside’ and ‘outside’

It turns out that the tools / techniques forged in this environment are exactly what the world needs now.

NATIONAL SCIENCE FOUNDATION

FY 2017 Budget Request to Congress

February 9, 2016

About the Cover: This cover shows two of the winning images from The Vizzies Visualization Challenge. The images are (top): a photograph of microscopic crystals found in a sea urchin’s tooth, and (bottom) an image showing the connectivity of a cognitive computer based on the macaque brain. For more information see: www.nsf.gov/news/special_reports/scivis/ Image credits: Pupa U. P. A. Gilbert and Christopher E. Killian, University of Wisconsin, Madison (top); Emmett McQuinn, Theodore M. Wong, Pallab Datta, Myron D. Flickner, Raghavendra Singh, Steven K. Esser, Rathinakumar Appuswamy, William P. Risk, and Dharmendra S. Modha (bottom)

But don’t just take our word for it……Look what made top note in the NSF 2017 Budget Request To Congress……….

Just ahead of “Hunting for Gravitational Waves” – The existence of which is a crucial prediction or Einstein’s General Theory of Relativity….

NATIONAL SCIENCE FOUNDATION

FY 2017 Budget Request to Congress

February 9, 2016

About the Cover: This cover shows two of the winning images from The Vizzies Visualization Challenge. The images are (top): a photograph of microscopic crystals found in a sea urchin’s tooth, and (bottom) an image showing the connectivity of a cognitive computer based on the macaque brain. For more information see: www.nsf.gov/news/special_reports/scivis/ Image credits: Pupa U. P. A. Gilbert and Christopher E. Killian, University of Wisconsin, Madison (top); Emmett McQuinn, Theodore M. Wong, Pallab Datta, Myron D. Flickner, Raghavendra Singh, Steven K. Esser, Rathinakumar Appuswamy, William P. Risk, and Dharmendra S. Modha (bottom)

FY 2017 NSF Budget Request to Congress

Overview - 19

Highlights

For over 60 years, NSF has pursued investments in fundamental research and education to fulfill its mission of promoting the progress of science and engineering. In doing so, NSF-supported research has connected the discovery and advancement of knowledge with the potential societal, economic, and educational benefits that are critical for continued U.S. prosperity. Below are just a few of the important recent advances that NSF funding continues to enable.

Supercomputer Cybersecurity

Computer networks at national labs, scientific computing facilities, universities, and large companies identify and block hundreds of thousands of hostile intrusions every month, thanks to a freely available cybersecurity software advanced by NSF-funded computer scientists at the University of California, Berkeley. The programmable “Bro” code analyzes a network’s unique data traffic patterns and tailors its defenses as needed, depending on the anomalies detected. The code played a critical role in identifying hackers trying to sell access to federal supercomputers. The NSF-funded Bro Center of Expertise provides resources for users to protect their cyberinfrastructure.

The Bro Network Security Monitor protects many scientific computing networks. Credit: Bro Center of Expertise Hunting for Gravitational Waves NSF, in May 2015, helped dedicate the Advanced Laser Interferometer Gravitational-Wave Observatories (LIGO) in Washington State. Researchers using the facilities seek to observe and record gravitational waves for the first time. Those discoveries would allow us to learn more about the phenomena that generate the waves, such as supernovae and colliding black holes. The Advanced LIGO project represents a major upgrade expected to enhance the sensitivity of LIGO’s instruments by a factor of at least 10 and can see a volume of space more than 1,000 times greater than the initial LIGO. The existence of gravitational waves is a crucial prediction of the General Theory of Relativity. Image of the LIGO observatory in Hanford,

Washington, where astronomers completed a major upgrade in a quest to understand the extraordinary mysteries of our universe.

Credit: Cfoellmi via Wikimedia Commons.

What Makes Bro So Powerful?

ORGANIZATIONS USING BRO:

10

+ MANYOTHERS…

* Information about usage of Bro gathered from public sources, mailing lists, job postings, public talks, etc.

CORELIGHT OVERCOMES THESE LIMITS WITH A COMMERCIAL APPROACH TO THE BRO NETWORKING PLATFORM

Bro provides data incident responders need to understand threats, organized in a way they can use immediately.

CORELIGHT OVERCOMES THESE LIMITS USING OPEN-SOURCE BRO.

A TINY SUBSET OF RECORDS GENERATED BY BRO:

6

timestamp 2017-10-27T20:26:04.156295Z

UID CaspMr2cFnWOmzG9rk

id.orig_h (originating host) 192.168.1.108

id.orig_p (originating port) 8026

id.resp_h (responding host) 192.168.1.1

id.resp_p (responding port) 53

trans_id (transaction ID) 62789

query www.test.com

qclass and qclass_name (1) C_INTERNET

qtype and qtype_name (1) A

rcode and rcode_name (0) NOERROR

answers 69.172.200.235

TTLs 977.0

rejected FALSE

flags "AA":false,"TC":false,"RD":true,"RA":true,"Z":0

Example DNS - normalized

BETTER NETWORK DATA CAN DRAMATICALLY REDUCE BUSINESS RISK

2

CORELIGHT CUSTOMER CASE STUDY:

✓ Reduced average incident response time 95%✓ Unlocked operational capacity to threat hunt ✓ Customer installed it in less than 15 minutes

“With Corelight, the ability to track

lateral movement in your network

skyrockets.”

- Sr. Security Engineer

BRING YOUR CYBER DEFENCES UP TO SPEED WITH BETTER NETWORK DATA

2

FASTER INCIDENT RESPONSE

“The amount of time I spend

on incidents is now a fraction

of what I used to spend.”

CONTEXT FOR THREAT HUNTING

“I haven't seen a more

comprehensive tool for tracking

and pinpointing lateral movement.”

GET TO THE TRUTH FASTER

”It’s all the essential network

data I could possibly want that

let’s me get to the truth faster.”

FILE ANALYSIS:

ONE COOL FEATUREAMONG DOZENS.

18

© 2017 Corelight, Inc.

Files

when

Link to connections that had file

name

bytes

Sha hash

hash

© 2017 Corelight, Inc.

© 2017 Corelight, Inc.

SSL

Cert info

version

cypher

server

Success?curve

© 2017 Corelight, Inc.

SMTP

Conn/files xref

Rcpt to

Hello field

when

Msg_id

Mail from

subject

Encrypted?

Reply timestamp

where

route

xref to files

to’s

who

© 2017 Corelight, Inc.

Software

where

what

version

What Makes Bro Data Better Data and Not Just More Data?

The Power Of The Bro Programming Language - Examples

• Physhing Attach Identification• Alert On Ransomware Execution Against Shared File System• Identify Beaconing Activity• Isolate distributed user orchestrated login attempts• Log 32 Character SSL Fingerprints for reference against Intel

Feed• Automate logging & alerting of vulnerable SW versions (Flash,

SMB1, etc.)• Alert if a new/unknown file/mime type appears on your

network• Run the File ID, MD5 & Sha1 or Sha256 hashes against known

bad files. Alert if files with type PE appears on network. • Recompile & Sandbox all files entering & exiting your network

& automate file analysis of every file

The TLS 1.3 Security Opportunity / Visibility ChallengeExample of forever changing landscapes & why a system built on a mature programming language is so important to the industry…….

18

TLS 1.3 is completely retiring support for RSA key exchange, only supporting perfectly forward secure ciphers via typically an ECDHE key exchange. This makes certain kinds of monitoring harder.

A VERY short description: web servers have certificates that have a public and a private key. In the past, if you had access to the private key of a web server, this allowed you to decrypt all encrypted traffic that you observed between the web server and other parties (i.e. clients). Which allowed certain vendors to have boxes that you just had to upload all private keys to and they could tell you what was going on in the traffic. (Yay for visibility –Boo for security)

Perfect forward security decouples the private key of the web server from the encryption key that is finally used; even if you do have access to the private key you can no longer read the traffic. It is possible to potentially get around this - but it either requires server (or client) patches and gets very nasty very quickly. This mode of operation was already supported (and is getting much more common) in older TLS versions - but TLS 1.3 mandates it; it is impossible to use TLS 1.3 with the old mode.

Another change in TLS 1.3 is that the certificate is encrypted; in old TLS versions you could get the certificate by monitoring traffic; in TLS 1.3 it is only exchanged after encryption begins. So one looses quite a bit of visibility.

Following insights provided by Johanna Amann

Johanna AmannInternational Computer Science Institute1947 Center St., Suite 600, Berkeley, CA 94704

http://www.icir.org/johanna/About Johanna: :Researcher at the International Computer Science Institute, an independent non-profit research institute affiliated with the University of California, Berkeley. Her main research interests lie in the areas of network security, Internet measurement and applied cryptography. She spends most ofher time working on the Bro Network Security Monitor and the ICSI SSL Notary Service. She is also an engineer at Corelight and affiliated with the cyber security team of the Lawrence Berkeley National Laboratory.

So….The Power Of Bro Demonstrated Through a Discussion of TLS 1.3

• First - Bro already supports TLS 1.3. TLS 1.3 is the first protocol version in a while that has (relatively) major changes to the wire-format and Bro can already parse TLS 1.3

• At ICSI, Johanna Amann is leading a project that has been running since 2012, where they observe TLS sessions at several universities to get a view of the current state of the ecosystem. And all the data is captured using Bro. (Findings & Insights presented at BroCon 2017 – In depth discussion can be provided in follow up if interested)

• While we obviously loose some visibility in an environment that uses TLS 1.3, Bro gets all the useful information out of the protocol that is possible to get; this especially includes the server name (sent in the SNI extension) that is still not encrypted.

• Net is that Bro has great support for SSL/TLS in general and can get all kind of information out of the metadata before encryption starts. This was driven a lot by a the above references research project that has been going on since 2012, which is why Bro supports a whole bunch of weird edge-case protocol features that nearly no one else bothers with.

So….The Power Of Bro Demonstrated Through a Discussion of TLS 1.3

So….The Power Of Bro Demonstrated Through a Discussion of TLS 1.3

Copied with permission from Johanna Amann’s BroCon 2017 “SSL Research With Bro” Presentation

So….The Power Of Bro Demonstrated Through a Discussion of TLS 1.3

Copied with permission from Johanna Amann’s BroCon 2017 “SSL Research With Bro” Presentation

So….The Power Of Bro Demonstrated Through a Discussion of TLS 1.3

• You can use Bro to notice certificates expiring in your local network & warn the responsible people before

• Bro can be used for policy enforcement in the local environment and check that all TLS sessions that are established use strong ciphers (and warn if ciphers that are not strong are encountered)

• could identify websites that would no longer be shown as being securein Chrome in the future.

Example of a publicly shared script : Identify Tor SSL connections by the autogenerated certificates that they use.

https://github.com/sethhall/bro-junk-drawer/blob/master/detect-tor.bro.

So….The Power Of Bro Demonstrated Through a Discussion of TLS 1.3

Mozilla publishes a number of their scripts; some of them are at least slightly interesting. Some examples:

* look for unusual HTTP methods (delete, trace, connect, proppatch, etc) (https://github.com/michalpurzynski/bro-gramming/blob/master/unusual_http_methods.bro)

* detect RADIUS brute-forcing (https://github.com/michalpurzynski/bro-gramming/blob/master/radius_bruteforcing.bro)

* detect the default Metasploit SSL certificate (https://github.com/michalpurzynski/bro-gramming/blob/master/metasploit_ssl.bro)

* detect clients that cause excessive http errors (https://github.com/michalpurzynski/bro-gramming/blob/master/excessive_http_errors_topk.bro). Neat idea - they calculate this not by looking at absolute errors, but by looking at the error to number-of-requests ratio; attackers are likely to cause a lot of HTTP unsuccessful HTTP requests.

* detect open proxies in your local network (https://github.com/michalpurzynski/bro-gramming/blob/master/detect_open_proxies.bro) - that implementation is potentially a bit weak, but the idea is not bad.

A CORELIGHT SENSOR FITS EASILY INTO YOUR EXISTING ARCHITECTURE:

3

NETFLOW DATA

IDS/IPS

PCAP

CORELIGHT SENSOR

EXTRACTED FILES

THIRD-PARTY INTEL

LOG ANALYTICS / SIEM / Data Lake

BRO LOGS

- Provides better data to existing analytics stack- Is deployed out-of-band: non-disruptive, low risk- Does not require displacement of current tools or systems

File Analysis Framework

Packet Broker