1. ANATOMY OF A HIGH
PROFILE ATTACK
Modern Lessons
for Security Monitoring
HP Protect 2011
Prepared for
Anton Goncharov, CISSP Prepared by
Partner, Solutions Architect
anton.goncharov@metanetivs.com
Dragos Lungu, CISSP, CISA
Security Consultant
dragos.lungu@metanetivs.com
2. METANET IVS
• SIEM and Event Management Group
• Heavy focus on HP/ArcSight solutions
EXPERIENCE
• Based in New York with team
members world-wide
EXPERTISE
• Services: Infrastructure Management,
Monitoring and Support QUALITY
OUR TOP 3 STRENGTHS*
• ArcSight Tools (RR, NMI)
• Technical Forum
(answers.metanetivs.com)
PROPRIETARY AND CONFIDENTIAL * Source: MetaNet Customer Survey, 6/2011
3. Agenda
1. Discuss attacks against Sony, HBGary, and RSA
2. Review the weaknesses and vulnerabilities which allowed
attacks to succeed
3. Look at the practices and solutions which could have helped
prevent the breaches
4. Discuss integration of prevention and monitoring
5. Discuss how ArcSight ESM can combat new threats by
improving infrastructure visibility
PROPRIETARY AND CONFIDENTIAL
5. SONY: Brief Intro
ü April and May 2011
ü PlayStation Network
ü Followed by:
• Qriocity
• Sony Online Entertainment
• Regional (Thailand, Greece, Indonesia)
ü 100M+ PSN accounts stolen
ü $173M+ direct costs
PROPRIETARY AND CONFIDENTIAL
(Source: eWeek)
6. SONY: Attack Dissection
1. Inject Exploit in
Application Server
Web Server
2. Gain DB Access
3. Phone Home &
Upload Data
Application
Servers
Database
Servers
PROPRIETARY AND CONFIDENTIAL
7. SONY: Weaknesses
ü Inefficient Vulnerability Management
ü Lack of compensating security controls
ü SPOF in SSL tunneling
ü PII Security Policy unenforced
ü Poor network segregation
PROPRIETARY AND CONFIDENTIAL
8. HBGary: Brief Intro
• On February 7 2011, HBGary Federal and rootkit.com are
compromised
• Over 71,000 corporate emails leaked triggering PR disaster
• Intellectual Property stolen or destroyed (including a decompiled
copy of Stuxnet)
• hbgaryfederal.com is still offline 6 months later*
PROPRIETARY AND CONFIDENTIAL
* As of July 2011
10. HBGary: Weaknesses
ü Insecure web application programming
ü Weak password encryption and hashing policies
ü Repeated violations of password reuse policy
ü Single factor authentication throughout critical systems
ü Weak vulnerability management program
ü Lack of security training and awareness among critical staff
PROPRIETARY AND CONFIDENTIAL
11. RSA: Brief Intro
• On March 17, RSA suffers an APT attack targeting the RSA SecurID®
product
• Customers exposed to new security risks: RSA ACE server attacks, brute force
attacks, phishing attacks to reveal PINs, token serial numbers
• On June 2, data stolen in March is used against Lockheed Martin
• No dollar figure or details on compromised data were given.
“…this information could potentially be used to reduce
the effectiveness of a current two-factor authentication”
(Art Coviello, Executive Chairman, RSA)
PROPRIETARY AND CONFIDENTIAL
12. RSA: Attack Dissection
Compromised FTP
Server
Phase 1 Phase 2 Phase 3 Phase 4 Phase 5
Spear Phishing Backdoor Privilege Escalation
With 0-day payload Infestation Deeper Scanning Data Exfiltration
CVE-02011-0609 Data Acquisition
Poison Ivy RAT
And Encryption
PROPRIETARY AND CONFIDENTIAL
13. RSA: Weaknesses
ü Poor security awareness
ü Lax local security policies facilitating privilege escalation
ü No segregation of assets based on business role which allowed
access to critical systems
ü No effective data loss prevention system
PROPRIETARY AND CONFIDENTIAL
15. Common Areas of Concern
ü Security Awareness
ü Ineffective vulnerability and patch management
ü Endpoint security policy
ü Password management issues
ü Egress content filtering
ü DLP for critical networks / systems
Nothing new here.
PROPRIETARY AND CONFIDENTIAL
16. Now Back to 2011
ü New vectors:
• Virtual social engineering, spear phishing, zero-day malware, covert channels,
commercialization of attack tools
ü Higher levels of impact:
• IP Theft, Cyber Espionage / Sabotage, Market Manipulation, Vendetta, Social Riots
ü Vulnerability Management is more challenging:
• Undisclosed zero-day, weak preventative & compensating security controls, limited
security practices in SDLC, ubiquity of critical business data
Targeted attacks, zero-days vulns, and custom malware
are brutally efficient.
PROPRIETARY AND CONFIDENTIAL
17. Targeted Attacks
1 in 1,000,000EMAILS IS A TARGETED ATTACK
57%
60.4% INDIVIDUALS WITH MANAGEMENT
INCREASE IN TARGETED ATTACKS in 2010
RESPONSIBILITIES
PROPRIETARY AND CONFIDENTIAL Source: Symantec MessageLabs 2011
18. Zero-Day Vulnerabilities Rise
ü One Tell-Tale: More Out of Band Patches
ü Vulnerability Disclosure Changed:
• Vendor Bounty Programs
• Responsible Disclosure vs. Full Disclosure
• Underground Market
ü New attack vectors are leveraged as technologies mature
This means we don’t know
what we’ll be defending against same time next year.
PROPRIETARY AND CONFIDENTIAL
19. Custom Malware
• AV avoidance is a part of the Q&A
• Sandbox and VM detection
• Small distribution helps avoid detection:
• no packing or polymorphic functions
• code signing using forged certificates
63% 79%
MALWARE UNDETECTABLE BY AV COMPROMISED RECORDS WHERE
MALWARE WAS USED
PROPRIETARY AND CONFIDENTIAL Source: Verizon Data Breach Report 2011
21. Low Hanging Fruit
ü You can leverage traditional event sources to detect attacks:
• Geo/IP data
• Port numbers
• AD auth logs
ü The attackers know this
ü The attacks on SONY and others bypassed detection easily
Successful defense requires a bit more effort
PROPRIETARY AND CONFIDENTIAL 21
22. Addressing Modern Threats
Targeted Attacks / Spear Phishing:
- User training, bi-directional message screening, digital signatures, message encryption,
layered anti-spam, browser protection
Zero Day Vulnerabilities:
- Layered security, critical process isolation, compensating security controls, application-
aware IPS (which do not rely on signatures), complete infrastructure visibility
Custom Malware:
- Behavior monitoring, security policy facilitating incident containment, risk based security
management, layered security controls
However, deploying solutions without monitoring them
is a waste of resources.
PROPRIETARY AND CONFIDENTIAL
23. So How Do We...
…Assess the effectiveness of the security controls?
…Define a security baseline?
…Recognize internal threats?
…Monitor critical business processes?
…Assess immediate impact in case of a security breach?
The answer is infrastructure visibility.
PROPRIETARY AND CONFIDENTIAL 23
24. ArcSight ESM Delivers
ü FlexConnectors for emerging security technologies
ü FlexConnectors for custom, business-critical applications
ü Identity Activity Monitoring
ü Infrastructure Mapping across the Business Units and Roles
ü Enforcing Corporate Security Policy
ü KPI-based Information Security Program tracking
ü Scalability and flexibility to address future threats and undiscovered use cases
PROPRIETARY AND CONFIDENTIAL
25. Example: Business Infrastructure Mapping
Requirements:
Business Units America EMEA APAC
Applications HR Accounting Payroll HR Accounting Payroll HR Accounting Payroll
Server - - - - - - - - -
IT Groups
Application - - - - - - - - -
Database - - - - - - - - -
Asset Import File:
Asset Name* Hostname IP Description* Asset Group* Asset Category Asset Category
APAC HR Server hrserver 1.1.1.1 File server hosting HR Insurance HR Server
data
America Payroll payrolldb 2.2.2.2 Payroll Oracle DBMS Credit Payroll Database
DB
EMEA Acct App acctapp 3.3.3.3 Accounting Investments Accounting Application
Server application server for
EMEA
PROPRIETARY AND CONFIDENTIAL * - supported by MetaNet NMI (Network Model Importer)
26. Example: Business Infrastructure Reporting
Trend Table:
Date Event Name Hostname IP BU Group App Event Count
12-09-11 Malware Infection payrolldb 2.2.2.2 Credit Database Payroll 16
13-09-11 Policy Violation acctapp 3.3.3.3 Investments Application Accounting 42
14-09-11 Failed Admin Login hrserver 1.1.1.1 Insurance Server HR 25
Trend Based Report:
Failed Admin Logins
120
100
80
Accounting
60
HR
40 Payroll
20
0
Week 1 Week 2 Week 3 Week 4 Week 5 Week 6 Week 7
PROPRIETARY AND CONFIDENTIAL
27. Example: Security Program Monitoring
KPI Data Sources ESM Content Description
# failed administrative OS, Applications, Line chart Reports based on event counts grouped by
logins Network & Security business units, applications, or groups.
Devices
# IT policy violations Security Event Correlated events with ‘/Policy/Violation’ Event
Management Category based on Policy Violation Rules (IT Gov., and
custom).
% systems where Vulnerability Area-based graphs showing the percentage of Assets
security req’s are not met Management tagged with ‘Vulnerability’ Asset Category, mapped
across time periods
# average time lag Issue Tracking Reports based on averaged time-to-resolve values
between detection, Systems, provided by ITS or SIEM. Case-based Reports in
reporting and action Security Event ArcSight ESM.
upon security incidents Management
PROPRIETARY AND CONFIDENTIAL
29. Conclusions
1. Higher awareness of modern security threats
2. Seek and deploy tools specifically designed to combat modern attacks
3. Solid security policy, procedures and user training
4. No single security control is 100% effective; compensating controls are key
5. On-going monitoring of technical and procedural controls is a must
ArcSight ESM provides the framework
to deliver complete infrastructure visibility
to enforce your security controls
PROPRIETARY AND CONFIDENTIAL
30. Questions?
We Have Answers:
http://answers.metanetivs.com
PROPRIETARY AND CONFIDENTIAL
31. References
1. eWeek
http://www.eweek.com/c/a/Security/Sony-Networks-Lacked-Firewall-Ran-Obsolete-Software-Testimony-103450/
2. Ars Technica
http://arstechnica.com/tech-policy/news/2011/02/anonymous-speaks-the-inside-story-of-the-hbgary-hack.ars
3. RSA Open Letters
http://www.rsa.com/node.aspx?id=3891
4. Verizon Breach Report 2011
http://securityblog.verizonbusiness.com/2011/04/19/2011-data-breach-investigations-report-released/
5. Symantec MessageLabs Intelligence Reports
http://www.symanteccloud.com/globalthreats/overview/r_mli_reports
6. The VeriSign iDefense Intelligence Report
http://www.verisigninc.com/assets/whitepaper-idefense-trends-2011.pdf
PROPRIETARY AND CONFIDENTIAL
32. THANK YOU
MetaNetIVS.com/P2011
Anton Goncharov, CISSP
Prepared for Prepared by
Partner, Solutions Architect
anton.goncharov@metanetivs.com
Dragos Lungu, CISSP, CISA
Security Consultant
dragos.lungu@metanetivs.com