FireEye Technical Briefing 19th March 2015 part 1

I attended a pretty interesting technical update afternoon hosted by FireEye recently and as usual made notes during the talks.

The first talk was titled ‘Staying one step ahead of the attacker‘ by David Dewalt the CEO of FireEye

This was a broad talk covering the gap between current security defensive and offensive capabilities followed by some thoughts on how to best combat this and detect advanced attacks.

State of the Defence

– Is Offence outweighing defence? Offensive skills and tooling are outpacing defensive at the moment.

-Number of offensive groups growing rapidly, great skills

-Lots of state sponsored action occurring – Russia, China, US etc.

-Low barrier of entry

-Emerging states -just need skilled people to enter game.

– Less to protect, more to gain

– Less advanced / wealthy nations can enter game at a much higher level than in the traditional physical offense / defense world.

 

Offence has been winning – they only have to succeed once!

Mean number of days before breach detection is still 205 days.  This has reduced since last year, but it is still orders of magnitude too high.

69% of companies breached learned about the breach from an external entities.

The majority of breaches occurred in companies that had up to date AV etc. – These are still valuable as hackers will go for the low hanging fruit.  However many advanced threats can evade traditional defences.

Defensive capabilities are currently too reactive, and there is a huge volume of noise to sift through to find the one ‘real’ security event.

The basic attack pattern has been unchanged for some time – research through initial exploit to malware and call-back to maintaining presence onto ongoing data exfiltration.

Very often research leads to spear fishing to exploit.

Data exfiltration may just be monitoring information such as financial data to enable insider trading and fraud, there may not actually be high volumes of data actually exfiltrated – makes detection even harder.

 

Detecting the exploit is key since every phase after that can be encrypted by the attacker.

Advanced threats are everywhere.

Knowing where to focus is key – not a mile wide one inch deep, but an inch wide, a mile deep.

Must understand that;

– Significant % of traffic is not through firewalls

– 100% of attacks are multi flow

– 91% of attacks are multi vector

– Attacks increasingly off band / off network

– Consumerisation increasing surface – more vectors, more flows

 

Need more pro-active defence.

Monitoring across multiple attack vectors

Need to be able to spot malware that evades traditional defences

Must have skills available in security teams (in house or external) to understand, investigate, respond and automate

Must combine with advanced threat intelligence to know what to look for, what current threats are and how to best respond.

Take away thoughts:

Security needs to provide an overall advanced threat management and response capability;

– Detect

– Protect

– Analyse

– Respond

Its about joining the dots to provide a complete picture.

K

Phishing; what is phishing and how to protect against it.

Phishing continues to be one of the key attack vectors against both individuals and corporations.

At a personal level it’s one of the most successful ways malicious individuals and groups have for stealing credit card details and identities.

At a corporate level it is one of the most if not the most common entry points into an organisation.  This is true even for the majority of the Advanced Persistent Threat type attacks that are discovered; while they may use many clever techniques to avoid detection once they are established the usual entry point is via some form of social engineering with Phishing being the most common social engineering attack.

It is due to this that I was recently asked to create a brief overview of Phishing covering what it is, why it is so prevalent, and what can be done to reduce the risk.  I’m sure most of you are aware what Phishing is, but I thought I would share some of the content of my recent presentation.

I started with a brief overview of what Phishing is;

•Phishing is a fraudulent attempt, usually made through email, to steal your personal information. The best way to protect yourself from phishing is to learn how to recognize a phish.

•Phishing emails usually appear to come from a well-known organization and ask for your personal information — such as credit card number, social security number, account number or password. Often times phishing attempts appear to come from sites, services and companies with which you do not even have an account.

•In order for Internet criminals to successfully “phish” your personal information, they must get you to go from an email to a website. Phishing emails will almost always tell you to click a link that takes you to a site where your personal information is requested. Legitimate organizations would never request this information of you via email.

Wikipedia has a longer version providing an overview of Phishing;

http://en.wikipedia.org/wiki/Phishing

This is actually a pretty good article covering a brief history of Phishing, various Phishing techniques, and some prevention / anti-Phishing tools and techniques.

I then went onto cover some further terminology around different types or developments of Phishing that have dramatically improved its effectiveness;

Phishing began as very generic, spam like emails.  These have over time become much more realistic and targeted in order to improve the chances of success for the attacker.  Various terms have been coined to describe these more targeted attacks;

•Spear Phishing refers to attacks targeted at specific individuals or groups of individuals such as employees of a company.  Attackers will gather personal and / or company specific information in order to improve their chances of success.

•Clone Phishing is where a legitimate email that contains attachments or links is cloned / copied, but with malicious attachments or links.  This exploits the trust that may be inferred from the email coming from a seemingly legitimate source.

•Whaling is a term for phishing attacks specifically targeting only very senior company executives.

•A further term recently coined in a blog post by Bruce Schneier was ‘laser guided precision phishing’ when describing some recent advanced phishing attacks.  The clear message is that these are getting better and harder to spot all the time, and these attacks are seldom stopped by technical means;

–“Only amateurs attack machines; professionals target people”

Basically Phishing continues to evolve with attackers spending time to do recognisance on higher value targets to make the attacks look as realistic as possible in order to increase their success rate.

The final part of the presentation covered some of the methods that can be employed to reduce the risk from Phishing attacks;

•Security / Phishing awareness and training.

–Phishme (or similar service) – this has a great success rate with figures such as 60% of users clicking on Phishme email links reducing to <10% after a few cycles.

–Broader training – regular communications from our department around security awareness and things to look out for.

•Make emails from external sources more obvious, such as by changing the display name on internal emails.

–This helps improve vigilance, however so many emails are received from external sources the benefit it likely limited.

•Disable links and attachments in emails from external sources

–Likely impacts many business processes, is a white list of all ‘trusted’ email sources feasible or maintainable?

•Ensure any heuristic and zero day type protections are functioning as designed to provide maximum protection from bespoke and new attacks.

•Enforce ‘least privilege’ – no users log onto any machine with administrative or root privileges, always use ‘Run As’ or Sudo for any actions requiring elevated privileges

•Ensure any browsers in use are kept up to date with any anti-phishing add ins / tool bars installed and functioning

•Black / White listing of acceptable sending domains.  White listing is more cumbersome, but more effective, black listing is easier (as with most security technologies) but less effective as it can only block known bad sites / domains.  Neither of these techniques will stop spoofed emails or emails from compromised ‘good’ sites / domains.

•Become involved with organisations / forums such as the Anti Phishing Working Group; http://www.antiphishing.org/

In conclusion I would wholly recommend a solid defence in depth strategy for your organisation when it comes to security tools and strategy, but I would also say that user training is a key component of reducing the risk from Phishing; if not the most critical component.

A great way to learn more, and help improve anti-phishing techniques is to get involved with organisations such as the Anti Phishing Working Group (link above).  They also offer some useful anti-phishing training.

It would be great to hear your thoughts on Phishing, and the user training vs. technical controls debate.

K

RSA Conference Europe 2012 – They’re inside… Now what?

Eddie Schwartz – CISO, RSA and Uri Rivner – Head of cyber strategy, Biocatch

Talk started with some discussion around general Trojan attacks against companies, rather than long term high tech APTs, with the tagline; If these are random attacks.. We’re screwed!

Worth checking the pitch, but there was a series of examples from the RSA lab in Israel of usernames and passwords and other data that Trojans had sent to C&C servers in Russia.  These included banks, space agencies, science agencies, nuclear material handling companies etc.

So what to the controllers of these Trojans do with the data?  Remember these are random attacks collecting whatever personal data they can get, not specific targeted attacks.  A common example is to sell the data, you can find examples of the criminals on message boards etc. offering banking, government and military credentials for sale.

Moving onto examples of specifically targeted attacks and APTs..  Examples of targeted attacks include; Ghostnet, Aurora, Night Dragon, Nitro and Shady RAT.  These have attacked everything from large private companies, to critical infrastructures to the UN.  All of the given examples had one thing in common – Social Engineering.  Every one used Spear Phishing as their entry vector.

From this I think you need to consider – Do you still think security awareness training shouldn’t be high on your organisations to-do list?

The talk went onto discuss Stuxnet and Duqu, along with their similarities and differences, largely what was captured in my last post.  The interesting observation here was their likely different plaes in the attack process.  Stuxnet was at the end and the actual attack, Duqu likely much earlier in the process as it was primarily for information gathering.

A whole lot more targeted malware examples were given including Jimmy, Munch, Snack, Headache etc.  Feel free to look these up if you want to do some further research.

A very recent example of a targeted attach that was only discovered in July of this year is VOHO.  This campaign was heavily targeted on Geopolitical and defence targets in Boston, Washington and New York.  It was a multistage campaign heavily reliant on Javascript.  While focused on specific target types the attack was very broad, hitting over 32000 unique hosts and successfully infections nearly 4000.  This is actually a very good success rate, with the campaign no doubt considered a success by those instigating it..

In light of this evidence it is clear we need a new security doctrine.  You will get hacked despite your hard work, if it has not yet happened, it will..  Learn from the event, an honest evaluation of faults and gaps should result in implements.

Things to consider as part of this new doctrine;

–          Resist – Threat resistant virtualisation, Zero day defences

–          Detect – Malware traces, Big data analytics, behavioural profiling

–          Investigate – Threat analysis, Forensics and reverse engineering

–          Cyber Intelligence – Threat and Adversary intelligence

Cyber Intelligence was covered in some more specific details around how we can improve this;

–          External visibility – Industry / sector working groups, Government, trusted friends and colleges, vendor intelligence;

  • Can this information be quickly accessed?  For speed should be in machine readable format, but use whatever works!

–          Internal visibility – Do you have visibility in every place it it needed, HTTP, email, DNS, sensitive data etc.

  • Do you have the tools in place to make use of and analyse all of these disparate data sources

–          Can you identify when commands like NET.. and schedulers etc. are being used?

–          Do you have visibility of data exfiltration, scripts running, PowerShell, WMIC (Windows Management Instrumentation Command-line) etc?

–          Do you have the long term log management and correlation in place to put all the pieces of these attacks together?

Summary recommendations and call to action..

–          Assume you are breached on a daily basis and focus on adversaries, TTPs and their targets

–          Develop architecture and tools for internal and external intelligence for real-time and post-facto visibility into threats

–          Understand current state of malware, attack trends, scenarios, and communications

–          Adjust security team skills and incident management work flow

–          Learn from this and repeat the cycle..

Next steps (call to action!);

–          Evaluate your defence posture against APTs, and take the advice from the rest of this post

–          Evaluate your exposure to random intrusions (e.g. data stealing Trojans), and take the advice from the rest of this post

Useful presentation from a technical and security team standpoint, but completely missed the human and security awareness training aspect – despite highlighting that all the example APTs used spear phishing to get in the door.  I’d recommend following all the advice of this talk and then adding a solid security awareness program for all employees and really embedding this into the company philosophy / culture.

K

Attack Mitigation – Assume the worst

I have recently been catching up on what was happening at the RSA conference from San Francisco this year and what some of the key security trends are.  One thing that has jumped out is the move from ‘we can protect you’ to you are or will be hacked so what can we do to mitigate the damage and catch the malicious individual or group.

This has been coming for a few years with the increasing use of cyber-warfare by governments and the military, and the emergence of APT (Advanced Persistent Threat) where well funded criminal gangs will expend a lot of time, money and skill to gain long term and potentially subtle footholds in company systems.  These factors, along with all the ‘standard’, existing threats and continued successes of social engineering attacks such as Phishing have lead many security leaders to suggest that you have likely already experienced a breach and you will, not may, experience breaches in the future.

This is backed up by research from the Ponemon institute that suggests 70-80% of organisations have experienced a data breach within the last 20 months.

So in addition to the standard perimeter and control type solutions there are now vendors and consultancy firms offering solutions to limit the damage that occurs when these preventative measures fail, and at the same time capture as much information as possible to aid in the tracking down and capture of the attacker(s).

This is an interesting wake up call for both the security industry and all companies – the protective measures we have relied upon for years work, but they are far from infallible and will fail when face with a concerted effort or a duped user who already has system access.

A couple of interesting references covering this in more depth;

Dark Reading – http://www.darkreading.com/advanced-threats/167901091/security/news/232602708/security-s-new-reality-assume-the-worst.html

Bruce Schneier – http://www.schneier.com/blog/archives/2012/04/attack_mitigati.html

The Dark Reading article is particularly interesting, and it’s well worth reading both sections.

Remember – your company’s systems will be breached.. What will you have in place to minimise the damage and assist in preventing the attackers from doing the same to more organisations?

K

APT – new threat or just a new name? And just what does it mean?

The term Advanced Persistent Threat (APT) has become the de facto term for criminals, organisations and governments spending considerable time, effort and expertise attempting to gain access to another organisations data.

Now this is clearly not a new phenomenon as people with the resources to do so have always put time into getting the information they want using technical and non-technical techniques including;

– Dumpster diving

– Social engineering (over the phone, and in person on site)

– Viruses / Trojans / Worms delivered via email / usb / floppy disk / CD etc.

– Phishing / spear-phishing (or what ever targeted emails / mails used to be called)

etc. etc.

The question is, has this problem suddenly become much larger and more of a concern, or is the new name and much of the news there to create fear and market security tools / services?

I am completely in favour of people having a common language, so giving a simple and agreed term to “criminals, organisations and governments spending considerable time, effort and expertise attempting to gain access to another organisations data.” is definitely a good thing.  However this needs to be used with caution, so that the accusation of spreading unnecessary fear and uncertainty cannot be levied against the security industry.

For example how many of the attacks that are reported to have been launched from China by the Chinese government were actually launched from botnets in China enabled by the fact that users in the country have amongst the highest levels of unpatched machines in the world?  I don’t know the answer but while reading for this article I found conflicting thoughts and statements on this topic.

There is clearly a need for clarity and openness, everyone in the security industry, and increasingly people not in the industry, are aware that there are many risks out there especially to machines without AV, and not kept patched up to date.  The risk does however need to be fairly and realistically reported.

If a company is compromised, it is currently much less damaging to report it as an APT attack rather than owning up to some unpatched machines or a misconfigured firewall, or someone clicking on a phishing mail while logged in with administrative privileges etc.

Equally though when there is clear evidence of APT, this should be clearly reported, especially if in doing so the techniques used can be revealed to help protect other potential victims.  Should government agents be clearly implicated, this should be reported as governments are supposed to be beholden to international laws and not behave in a criminal manner.  I guess the same could and should be said of individuals and criminal organisations!

In short, clearly agreed universal terminology is a good thing to aid understanding and communication even if it is not describing something new, but clear and open reporting of threats is key if people are to make informed and correct decisions about the real risks and how much time and expense should go into mitigating them vs. other threats and business needs.

Future posts will cover exactly what APT is in more detail, and also ask is the cloud something new?