Professional Documents
Culture Documents
如何全力掃蕩高度協調的網路攻擊 Arbor+繁星logo
如何全力掃蕩高度協調的網路攻擊 Arbor+繁星logo
的網路攻擊
Tony Teo
Director Sales Engineering APAC
Arbor Networks
tteo@arbor.net
1
What is Orchestrated Attack Campaign ?
Adversary (黑客)
An
adversary
exercising some
set of capabilities over
Capabilities Infrastructure
some infrastructure against
(功能) (基礎設施 )
a victim over some
period of
time
Victim ( 受害
2
Neverquest Attack Campaign
1. A global threat
targeting the world’s
financial institutions
2. A sophisticated MITB
banking and remote
access trojan
3. An example of
“Crimeware as a
Service”
3
Neverquest: Capabilities and Infrastructure
Capabilities Infrastructure
• Webinjection • C2 Infrastructure
• Advanced Threats have evolved from advanced malware to Did You Know?
highly orchestrated attacks by sophisticated human
7+
Advanced attacks in 2015 used 7
adversaries. or more toolkits, less than half
exploited
• Nation State Sponsored Toolkits a critical vulnerability.
• Industrial Espionage
40% …of advanced
attacks in 2015 did not
• The adversary’s campaign is one with endless tactics to evade involve malware.
prevention and detection solutions.
• They will perform their reconnaissance and diligently work with a 20% …of all Advanced
threat attacks
well-funded team until their mission is complete and with little involved
expectation of being caught in the process. DDoS 2014-2015
6
Attack Campaign– Long Term Objective
7
Traditional Solutions Challenges – Network
Firewall, IPS, Sandbox
The problem with network threat detection
• Threat detection overly dependent on in-line deployments at the edge with focus
edge with focus blocking based on simple rules that can’t understand
understand orchestrated attacks & contribute to “alarm fatigue”
fatigue”
– When deciding to block a session/packet, no context to previous sessions, exploits and
risk
• Sandboxes overly focus on malware as point of infection => no insight to host
behavior
• Threat validation often lacking with no insights to the risk, details about
victim’s response to attack
• Often no preserved evidence to help user ID false positives
• Response workflows don’t exist => feed into SIEM
8
Traditional solutions challenges – SIEM
9
50M to 2B Security Events Every Day
Focus of
your team
is here
10
The Anatomy of an Attack Campaign
ORGANIZATION’S NETWORK
STAGE 4
Desktop of CFO
STAGE 3 Lateral
Movement
Delivery
Does not use
malware payload
Server calling
STAGE 2 SENSITIVE
out to botmaster
in Latvia
Initial ASSETS STAGE 5
Entry Point Command
Bypasses and Control
Sandbox
STAGE 1
STAGE 6 STAGE 7
Gets In
Exfiltration Mission
Complete
Unsupervised Use Forensics
Remote Subsidiary Consultant
to detail incident
11
Compromise is Inevitable, Data Loss is Not
Legacy Controls
Prevention
SIEM
Prevention • Vulnerability Patching
Comfort • Network (FW, IDS)
Zone • Endpoint (AV)
12
Gap In Existing Approach
TIME
ENDPOINT IDS/IPS
PACKET FORENSICS
SIEM INTELLIGENCE
13
Introducing Arbor Networks Spectrum™
14
Why Arbor Spectrum Fills The Gap
With Arbor
MANHOURS
REQUIRED
SOLUTION COST $$$$ $ $$$
RISK IMPACT Limited Improved Limited
ENDPOINT IDS/IPS
PACKET FORENSICS
SIEM INTELLIGENCE
15
How We Work:The Arbor Spectrum Platform
RESPOND
16
Architecture: Robust Network Archive of
Packets & Flow
Flow &
Packet
IPFix
• Incoming packets & flows analyzed for
security events
Arbor AT Platform • Attacks/Indicators identified and sent
to the controller
• Packet archive
IDS Policies – Attack/Indicator traffic
Industry Feeds/STIX (2.1) – Triggered packet captures (v2.1)
• Searchable archive: network
conversation details
– URLs, DNS names
– L3/L4 network header fields (flags)
Attacks/ Triggered Layer 7 & flow – HTTP headers
Indicators PCAP Traffic archive – DNS decoded data
– SSL handshake information (future)
PCAP – File hashes (future)
Decode & Searchable Archive: – Stream entropy (future)
download network conversations
17
Empower Teams to See, Search, Prove Threats
Across the Entire Network
• A single complete view into threat indicators
across all entities
inside and outside the network
– Smart workflows and search to validate threats
– Investigates 10x faster than traditional forensics or
SIEM
• Scaleable, real-time packet and flow analysis to
surface present and past threat activity
– Interactive Zoom / Pivot
– Accessible Packet Decode and PCAP
– Search into all network conversations (days, weeks,
months)
• Detect threat conversations across
the entire network “ We were to uncover and investigate an entire
– ATLAS Intelligence Indicators attack timeline in seven minutes. With our current
– Custom, third party intelligence SIEM it would have taken several days”
– Network behavior learning and policies
• Easy install and operation
– Deployed and training in a day
18
Detect Threats: Reduce Dwell Time
19
20
Host Dossier: Speed of analysis & context of
conversations
21
22
See and Search anything across your network: Fast
access details of every conversation
23
ARBOR
ADVANTAGE
© 2016 ARBOR
® CONFIDENTIAL & PROPRIETARY 24
Arbor Overview:15 Years of Network Excellence
25
ATLAS GLOBAL THREAT ANALYSIS SYSTEM
CONTEXT ENRICHMENT
ATLAS
® INTELLIGENCE INDICATORS
27
Arbor® Enterprise Solutions
Global
Internet
Threats
Global
Network
Servers
Enterprise
Perimeter
Packets
& Flow Act
Internal
Network
Packets
Enterprise & Flow
Assets Prove
Investigate
28
Case Study: Detection & Proof of
an Attack Campaign in Minutes
Challenge:
• Small Security Operations function responsible
for managing events and incidents across a
large, distributed network with global data
centers.
• Deployed SIEM, Security forensics and used
3 open source and other tools to detect and
investigate incidents.
Arbor:
• Deployed Arbor within a day and received one
hour of training. Within the same day the team
was using the solution to find and investigate
potential threats. “ The best thing about Arbor Spectrum is that
• Almost immediately a threat indicator was you really don’t even need a novice skill level
detected using Arbor Intelligence. of network forensics to use it. The interface
is straightforward, and it’s simple to extract
• Further analysis of the traffic,and subsequent important information relevant to an
hosts implicated. investigation.”
• Investigation took minutes whereas the team – Security Operations Lead
would normally take 3-4 days to perform a F500 Multinational
similiar analysis.
• Their SIEM and existing threat infrastructure
had not identified the initial threat indicator.
29
The Numbers:
# Investigations per 8-Hour Shift
With Arbor
Today Spectrum
Senior Incident
Responder 3 30+
Mid-level Analyst 0 10-20
Junior Analyst 0 5-10
Network Engineer 0 3-5
30
Arbor Spectrum - Main Competitive
Advantages
• Investigate 10x faster than with traditional forensics or SIEM
• Smart workflows and search to validate threats
• Complete view into threat indicators of all entities, inside and outside the
network
• Scalable real-time packet and flow analysis to surface present
and past threat activity
• Unprecedented visibility and performance of flow and packet analysis
• Interactive zoom/pivot, Accessible PCAP, Search into all network conversations
• Detect and connect threat conversations across the entire
network—from the Internet to the internal network
• ATLAS Intelligence Indicators
• Custom, third party intelligence
• Network behavior learning and policies
• Easy install and operation
• Be deployed and trained in a day
31
Arbor Spectrum
32
THANK YOU
© 2016 ARBOR
® CONFIDENTIAL & PROPRIETARY 33
Twink
le