Más contenido relacionado
La actualidad más candente (20)
Similar a War on stealth cyber attacks phishing docusign apache metron (20)
War on stealth cyber attacks phishing docusign apache metron
- 3. 3 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Phishing A/acks
à What is a Phishing A0ack?
– An a0ack that “baits” unsuspecJng workers into clicking on links in emails and
unknowingly giving a0ackers a toehold in their employers’ systems.
à From NYTIMES ArJcle (6/13/2016)
“Phishing a*acks have become an epidemic. To date, more than 90 percent of
breaches have begun with a phishing a*ack, according to Verizon.
Intelligence experts say that phishing a*acks are the preferred method of
Chinese hackers who have managed to steal things as varied as nuclear
propulsion technology and Silicon Valley’s most guarded soGware code.”
- 8. 8 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Systems Accessed for Inves:ga:on/Context
“InvesJgaJon”
Workflow Steps
• Step 1: Analyst James searches in SIEM for
any events associated with the user Sonja
over the last 24 hours
• Step 1 Result: Most events are coming from
IP Y. But few events from from IP X where
she is sending email via Corp Gmail account.
• Step 2: James does geo-lookup of IP X and Y n
Maxmind
• Step 2 Result: IP X is from Ireleand and IP y is
from Southern Cali
• Step 3 Corp Foo has offices in Ireland & Los
Angeles. James files a Jcket with AD team to
find groups that Sonja belongs to.
• Step 3 Result: The groups she belongs to is
only associated with Los Angeles and not
Ireland
Story Unfolding
• Step 1 Insight: Anomalous Event –
Corp Gmail was decommissioned
on behalf of exchange months
back and only few users are
currently using it
• Step 2 Insight: Not possible for
the same user be logging in from
Ireland & Southern Cali at the
same Jme.
• Step 3 Insight: Unauthorized
access is occurring from Ireland
SIEM
Search
1
Maxmind
(IP Geo DB)
2
AD
(IdenJty
Mgmt.)
3
• Step 4: James logs into Foo’s Asset Mgmt
system to determine asset the IP belong to
• Step 4 Result: IP Y is from Sonja’s workstaJon
while IP X is an unidenJfied Asset
• Step 4 Insight: Seems like Sonja
is in Southern Cali but someone
else pretending to be her is
logging in from unidenJfied Asset
Asset Mgmt.
Inventory
4
• Step 5: James log into Soltra a threat intel
aggregaJon service to see if IP X has a threat
intel hit.
• Step 5 Result: IP X has a threat intel hit and
Sonja’s account is immediately shutdown &
Ethan’s credenJals have been reset
• Step 5 Insight: Sonja’s account
has been compromised. Shut it
down and Ethan’s credenJals
have been reset. But what others
users are affected like Ethan?
Soltra
(Threat
Intel)
5
- 9. 9 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Systems Accessed
for Threat Scope
Systems Accessed
for Forensics
Systems Accessed for Inves:ga:on/Context
SIEM
“Scope of Threat”
Workflow Steps
• Step 6: Searches SIEM for Fireye and IronPort
email events associated with Sonja. The SIEM
doesn’t have that info
• Step 6 Result: Need to log into Fireye and
IronPort
• Step 7: Log into Fireye Email Threat
PrevenJon Cloud & IronPort to find all emails
sent from Sonja from that malicious IP
• Step 7 Result: Have a list of all users that the
Phishing email was sent to. Can reset the
password for all those users
Maxmind
(IP Geo DB)
AD
(IdenJty
Mgmt.)
Asset Mgmt.
Inventory
Soltra
(Threat
Intel)
Story Unfolding
• Step 1 Insight: Anomalous Event –
Corp Gmail was decommissioned
on behalf of exchange months
back and only few users are
currently using it
• Step 2 Insight: Not possible for
the same user be logging in from
Ireland & Southern Cali at the
same Jme.
• Step 3 Insight: Unauthorized
access is occurring from Ireland
• Step 4 Insight: Seems like Sonja
is in Southern Cali but someone
else pretending to be her is
logging in from unidenJfied Asset
• Step 5 Insight: Sonja’s account
has been compromised. Shut it
down and Ethan’s credenJals
have been reset. But what others
users are affected like Ethan?
• Step 6 Insight: SIEM doesn’t have
all the fireye email events I need
to determine scope
• Step 7 Insight: Understand the
scope of the threat and can can
contain it.
“Forensics”
Workflow Steps
• Step 8: Logs into Cisco IronPort to determine
when the a0acker first compromised Sonja’s
Gmail account
• Step 8 Result: On 3/26, a user from Ireleand
logged into Sony’s Corp Gmail Account
• Step 8 Insight: Understands when
Sonja’s Gmail Account was first
compromised
• Step 9: Logs into Intermedia, an email
archive system, to understand how the
account was compromised
• Step 9 Result: Sees a set of emails where the
a0acker spoofed someone else email
address “warmed up’ her with a few emails
and then sent an email with an link that
Sonja clicked on which stole her credenJals
from her chain
• Step 9 Insight: Understand how
Sonja’s account got compromised
Systems Accessed for Remedia:on
Exchange
(Primary
Email Service)
Corp Gmail
(Secondary
Email Service)
AD & SSO
(IdenJty Provider
& SSO)
Search
1
2 3 4 5
6
FireEye
(Email
Cloud Security )
7
Cisco IronPort
(Email
On-Premise
Security )
8
Intermedia
(Email Archive)
9
- 11. 11 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
The Challenges faced by the SOC Analyst to Create this Story…
Challenge
• The analyst had to jump from the SIEM to
more than 7 different tools that took up
valuable time.
• It took more than 24 hours across 2 SOC
shifts to investigate, determine scope,
remediate and do further forensics/
investigation.
• Half of my time was spending getting the
context needed for me to create the story
• The threat was detected too late. Instead of
detecting the incident on 4/9, the threat should
have been detected on 3/20 when the attacker
spoofed Sonja’s email address
Need
• Want a Centralized View of my data so I don’t
have to jump around and learn other tools
Eliminate manual tasks to investigate a case
• Need to discover bad stuff quicker
• Need the System to create the context for me
in real-time
• The current static rules in the SIEM didn’t
detect the threat. Need smart analytics based
on:
• User Sonja hasn’t used corp gmail in the last 3 months
• User Sonja can’t login from Ireland and Southern Cali at the
same Jme
- 16. 16 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Metron Architecture
Network Data
(PCAP, Netflow, Bro, etc)
IDS
(suricata, Snort, etc)
Threat Intelligence Feeds
(Soltra, OpenTaxi, Third
party Feeds)
Security Endpoint Devices
(Fireye, Palo Alto, BlueCoat,
etc..)
Telemetry
Data Sources
Machine Generated Logs
(AD, App/Web Server,
Firewall, VPN, etc.)
Telemetry
Parsers
TELEMETRYINGESTBUFFER
Enrichment
Indexers &
Writers
Telemetry
Parsers
Real-Time Processing
Cyber Security Engine
Threat Intel Alert Triage
Cyber Security
Stream Processing Pipeline
DATASERVICES&INTEGRATIONLAYER
Modules
Community Analytical
Models
Search and
Dashboarding
Portal
Security Data Vault
Provisioning, Mgmt &
Monitoring
Performant
Network
Ingest
Probes
Real-Time
Enrich/
Threat Intel
Streams
Telemetry
Data Collectors
/ Other..
- 20. 20 © Hortonworks Inc. 2011 – 2016. All Rights Reserved
Analy:cs
DescripJve DiagnosJc PredicJve PrescripJve
Metron Security Data AnalyJcs Plavorm
HDF HDP
Deep
Packet
Model as a Service
Nevlow
Applianc
e Logs
Alerts
Host
Logs
Geo
Enrich
Host
Enrich
App.
Enrich
IdenJty
Enrich
Domain
Enrich
Social
Media
Email
Chat
Forums
Playbook
Wokflow HR
IR Mobile
Devices
Machine
Exhaust IoT
Datasets Access
Logs
Malware
Binaries Sandbox
Honeypo
t
DecepJo
n
SaaS
Business
Enrich
CMDB
Enrich
Compl.
Enrich
Knowled
ge Graph
EnJty
Profiles
InteracJ
on Graph
Web
Mining
Use Cases
Insider
Threat
Data
Access
Manage
ment
Breach
DetecJon
ExfiltraJon
Lateral
Movement
Malware
DetecJon
Alerts
Triage
RemediaJon