如何全力掃蕩高度協調

的網路攻擊

Tony Teo
Director Sales Engineering APAC
Arbor Networks
tteo@arbor.net

1
 What is Orchestrated Attack Campaign ?

Adversary (黑客)

An
adversary
exercising some
set of capabilities over
Capabilities Infrastructure
some infrastructure against
(功能) (基礎設施 )
a victim over some
period of
time

Victim ( 受害
2
Neverquest Attack Campaign

1. A global threat
targeting the world’s
financial institutions
2. A sophisticated MITB
banking and remote
access trojan
3. An example of
“Crimeware as a
Service”

3
Neverquest: Capabilities and Infrastructure
Capabilities Infrastructure
• Webinjection • C2 Infrastructure

• TOR Update Infrastructure

o 453pn6kasexkbqxiztbio2mnh2pgl6nrxdqgyl
ngcyw4dehz
• Steganography o 453pn6kasexkbqxiztbio2mnh2pgl6nrxdqgyl
ngcyw4dehz
o 5h3ejaxii4fshu4e7qpxfodfh6fvpqyckfz2wdsf
45s42mempt3ayo2bn7inhq6o
Neverquest: Adversaries and Victims
“Adversaries” Victims
• Target Institutions by Name:

• Target Institutions by Geo:

• Client Infections by Geo

Attack Campaigns: The Real Advanced Threat

• Advanced Threats have evolved from advanced malware to Did You Know?
highly orchestrated attacks by sophisticated human
7+
Advanced attacks in 2015 used 7
adversaries. or more toolkits, less than half
exploited
• Nation State Sponsored Toolkits a critical vulnerability.

• Industrial Espionage
40% …of advanced
attacks in 2015 did not
• The adversary’s campaign is one with endless tactics to evade involve malware.
prevention and detection solutions.
• They will perform their reconnaissance and diligently work with a 20% …of all Advanced
threat attacks
well-funded team until their mission is complete and with little involved
expectation of being caught in the process. DDoS 2014-2015

• Traditional forms of security are insufficient to defend 60% take…of enterprises

longer than 3 days to
against organized human adversaries using investigate a critical security
event.
sophisticated combinations of tools and techniques
across complex IT environments.
200+ Average dwell time of
breaches
Days is greater than
200 days.

6
Attack Campaign– Long Term Objective

7
Traditional Solutions Challenges – Network
Firewall, IPS, Sandbox
The problem with network threat detection
• Threat detection overly dependent on in-line deployments at the edge with focus
edge with focus blocking based on simple rules that can’t understand
understand orchestrated attacks & contribute to “alarm fatigue”
fatigue”
– When deciding to block a session/packet, no context to previous sessions, exploits and
risk
• Sandboxes overly focus on malware as point of infection => no insight to host
behavior
• Threat validation often lacking with no insights to the risk, details about
victim’s response to attack
• Often no preserved evidence to help user ID false positives
• Response workflows don’t exist => feed into SIEM

8
Traditional solutions challenges – SIEM

The problem with legacy SIEM

• Threat detection based on correlated rules that are painful (expensive) to write,
(expensive) to write, prone to false positives & require you to know how
know how you’ll be attacked
• Visibility limited to logs => no insights to activity that doesn’t produce a
produce a log, such as network connections
• Threat validation workflow focus on a single alert (and not orchestrated
orchestrated attacks/campaigns)
– Deployment based on logs (require lots of endpoint configuration to send logs) and
blind to activity where logs are not sent
• Response workflows are incredibly slow => you can’t ask questions of what
happened next
• Are your intelligence sources accurate and current?

9
50M to 2B Security Events Every Day

Focus of
your team
is here

Severity LOW MEDIUM HIGH

% of Total 60% 30% 10%
Tool Confidence Low Medium High

ORCHESTRATED ATTACK STAGES

STAGE 1 STAGE 3 STAGE 5 STAGE 7

STAGE 2 STAGE 4 STAGE 6

10
The Anatomy of an Attack Campaign
ORGANIZATION’S NETWORK

STAGE 4
Desktop of CFO
STAGE 3 Lateral
Movement
Delivery
Does not use
malware payload

Server calling
STAGE 2 SENSITIVE
out to botmaster
in Latvia
Initial ASSETS STAGE 5
Entry Point Command
Bypasses and Control
Sandbox

STAGE 1
STAGE 6 STAGE 7
Gets In
Exfiltration Mission
Complete
Unsupervised Use Forensics
Remote Subsidiary Consultant
to detail incident

11
Compromise is Inevitable, Data Loss is Not

Attackers only Need to Win ONCE, We Need to Win EVERY TIME!

Value Hunting Toolkit

• Threat
Proactive Intelligence
• Network Behavioral
Proactive Analysis
Transition • Network Forensics

Advanced Advanced • Sandbox

Detection Detection • Payload Analysis
Transition

Legacy Controls
Prevention
SIEM
Prevention • Vulnerability Patching
Comfort • Network (FW, IDS)
Zone • Endpoint (AV)

Majority of Organizations Leading Organizations

(Detect & Respond Strategy) (Seek & Contain Strategy)

12
Gap In Existing Approach

TIME

SOLUTION COST $$$$ $ $$$$

$

PREVENT/DETECT INVESTIGATE/PROVE FORENSICS

SANDBOX FIREWALL END-POINT FORENSICS

ENDPOINT IDS/IPS
PACKET FORENSICS

SIEM INTELLIGENCE

ORCHESTRATED CAMPAIGN STAGES

Recon Installation/Delivery Command/Control Mission Complete
Network Sandbox Network Forensics
STAGE 1 STAGE 3 STAGE 5 STAGE 7

STAGE 2 STAGE 4 STAGE 6

Exploitation Lateral Movement Exfiltration
Network Network Network

13
Introducing Arbor Networks Spectrum™

See global attack campaigns in real-time across your entire

network.
• Arbor’s real-time global threat intelligence harvested from its service provider
network is now connected to an organization’s internal traffic patterns to detect
the most damaging threats, those representing the highest form of risk.

Search and surface anything within the network.

• Disruptive security forensics with complete visibility into all past and present
network activity at a fraction of the cost & complexity.

Prove threats on your network faster.

• Designed with the security user in mind, real-time workflows and analytics to
empower & scale security teams to investigate and prove threats 10x more
efficiently than existing solutions today.

14
Why Arbor Spectrum Fills The Gap
With Arbor
MANHOURS
REQUIRED
SOLUTION COST $$$$ $ $$$
RISK IMPACT Limited Improved Limited

PREVENT/DETECT INVESTIGATE/PROVE FORENSICS

SANDBOX FIREWALL END-POINT FORENSICS

ENDPOINT IDS/IPS
PACKET FORENSICS

SIEM INTELLIGENCE

ATTACK CAMPAIGN STAGES

Recon Installation/Delivery Command/Control Mission Complete
Network Sandbox Network Forensics
STAGE 1 STAGE 3 STAGE 5 STAGE 7
Threat Traffic Intuitive
Intel Analysis Workflows
STAGE 2 STAGE 4 STAGE 6
Exploitation Lateral Movement Exfiltration
Network Network Network

15
How We Work:The Arbor Spectrum Platform

RESPOND

PROVE THREAT TIMELINE +EVIDENCE

ANALYTICS + SEARCH

NETWORK + THREAT INDICATORS

REAL TIME VISUALIZATION AND WORKFLOWS
INVESTIGATE
SECURITY CLUES NETWORK TOPOLOGY DOSSIER
THREAT CONVERSATIONS

DETECT 330+ Providers STIX/TAXII

GLOBAL INTERNET INTERNAL NETWORK THIRD PARTY

THREATS CONVERSATIONS INTELLIGENCE

BOTNET DARKNET TROJAN FLOW PACKET CUSTOM OR

TRAFFIC TRAFFIC INTELLIGENCE FEEDS
COLLECTION COLLECTION

16
 Architecture: Robust Network Archive of
Packets & Flow
Flow &
Packet
IPFix
• Incoming packets & flows analyzed for
security events
Arbor AT Platform • Attacks/Indicators identified and sent
to the controller
• Packet archive
IDS Policies – Attack/Indicator traffic
Industry Feeds/STIX (2.1) – Triggered packet captures (v2.1)
• Searchable archive: network
conversation details
– URLs, DNS names
– L3/L4 network header fields (flags)
Attacks/ Triggered Layer 7 & flow – HTTP headers
Indicators PCAP Traffic archive – DNS decoded data
– SSL handshake information (future)
PCAP – File hashes (future)
Decode & Searchable Archive: – Stream entropy (future)
download network conversations

17
Empower Teams to See, Search, Prove Threats
Across the Entire Network
• A single complete view into threat indicators
across all entities
inside and outside the network
– Smart workflows and search to validate threats
– Investigates 10x faster than traditional forensics or
SIEM
• Scaleable, real-time packet and flow analysis to
surface present and past threat activity
– Interactive Zoom / Pivot
– Accessible Packet Decode and PCAP
– Search into all network conversations (days, weeks,
months)
• Detect threat conversations across
the entire network “ We were to uncover and investigate an entire
– ATLAS Intelligence Indicators attack timeline in seven minutes. With our current
– Custom, third party intelligence SIEM it would have taken several days”
– Network behavior learning and policies
• Easy install and operation
– Deployed and training in a day

18
Detect Threats: Reduce Dwell Time

• ATLAS Threat Intelligence

– Unique view to today’s active threats
 Applied industry knowledge
– IDS signatures
– Custom snort signatures
 Threat hunting workflows
– Build attack timelines with real-time
analysis & rich archive
 Easy & fast access to indicator PCAPs
& packet decodes
 Workflows to validate & respond to
threats
 Syslog of all triggered indicators

19
20
Host Dossier: Speed of analysis & context of
conversations

• Provide IR or SOC analyst with

relevant context for host that’s
triggered a threat
– Traffic analysis pre/post threat
– Destinations, sources
– Other alerts on same host
• Custom search for any host
• Easy workflows to pivot back to
hunting or explore detailed
connections
• How is this different than
SIEM?
– Speed of analysis
– Connection/conversation data

21
22
 See and Search anything across your network: Fast
access details of every conversation

• Search robust traffic archive

– IP/CIDR
– Host
• Single view of all traffic
– Flow and packet-based traffic
– Display layer 7 metadata if available
• Export all available traffic data
– Flows
– Packet-based traffic archive
• How is this different from forensics?
– Speed of analysis: minutes vs. hours
– Ease of deployment
– Scale to see every host &
conversation on your network

23
 ARBOR
ADVANTAGE

© 2016 ARBOR
® CONFIDENTIAL & PROPRIETARY 24
Arbor Overview:15 Years of Network Excellence

Leading Network Traffic Expertise

• 15 years of understanding the worlds most
complex and demanding service provider and enterprise
networks.
• Deployed everywhere on the planet (107 countries).
• See more Internet traffic than any other service provider.
Premier Global Security Visibility
Hourly updates from 330+ providers on attack traffic across the
Internet.
• World class security research team analyzing
traffic patterns and reverse engineering malware and its
infrastructure with ATLAS/ASERT.

Proven Scale Across Blue Chip

Installed Base Live Digital Attack Map
Powered by: Arbor Networks
• 3/5 Top Global Banks.
• Deployed largest financial institution in 28 countries.
• 9/10 of largest online brands and hosting providers.
• 100% Tier 1 Service providers.

25
ATLAS GLOBAL THREAT ANALYSIS SYSTEM

 ASERT has data of ~98%

ASNs
 ~50% coverage of national
CERT teams
 ASERT has seen 2.63B
unique IPv4 addresses
(~71% theoretical)
 ASERT monitors 1.76M
“dark” IPv4 addresses
26
How ATLAS® and ASERT Work

“MODELING THE GLOBAL INTERNET”

GLOBAL DDoS BGP & IP-TRANSIT V&

ASERT SENSORS FOR MALWARE BOTNET BOTNET / CAMPAIGN
VISIBILITY ASN TRACKING DARKNET MONITORINGPROCESSING INFILTRATION REVERSING

INTERNET MALWARE BOTNET

VISIBILITY DETECTION MONITORING
• Internet Health • Sinkhole
• Real-time Behavior
• DDoS Attacks • Infiltration/Activity
• Family Focus
• Threat Tracking Monitoring

CONTEXT ENRICHMENT

ASERT SECURITY RESEARCH

(Human Intelligence, Specialized Research Team)

ATLAS
® INTELLIGENCE INDICATORS

(Categories of Confirmed Threats, Updated Hourly)

27
 Arbor® Enterprise Solutions
Global
Internet
Threats

Global
Network

Servers
Enterprise
Perimeter

Packets
& Flow Act
Internal
Network
Packets
Enterprise & Flow
Assets Prove

Investigate
28
Case Study: Detection & Proof of
an Attack Campaign in Minutes
Challenge:
• Small Security Operations function responsible
for managing events and incidents across a
large, distributed network with global data
centers.
• Deployed SIEM, Security forensics and used
3 open source and other tools to detect and
investigate incidents.
Arbor:
• Deployed Arbor within a day and received one
hour of training. Within the same day the team
was using the solution to find and investigate
potential threats. “ The best thing about Arbor Spectrum is that
• Almost immediately a threat indicator was you really don’t even need a novice skill level
detected using Arbor Intelligence. of network forensics to use it. The interface
is straightforward, and it’s simple to extract
• Further analysis of the traffic,and subsequent important information relevant to an
hosts implicated. investigation.”
• Investigation took minutes whereas the team – Security Operations Lead
would normally take 3-4 days to perform a F500 Multinational
similiar analysis.
• Their SIEM and existing threat infrastructure
had not identified the initial threat indicator.

29
The Numbers:
# Investigations per 8-Hour Shift

With Arbor
Today Spectrum
Senior Incident
Responder 3 30+
Mid-level Analyst 0 10-20
Junior Analyst 0 5-10
Network Engineer 0 3-5

30
Arbor Spectrum - Main Competitive
Advantages
• Investigate 10x faster than with traditional forensics or SIEM
• Smart workflows and search to validate threats
• Complete view into threat indicators of all entities, inside and outside the
network
• Scalable real-time packet and flow analysis to surface present
and past threat activity
• Unprecedented visibility and performance of flow and packet analysis
• Interactive zoom/pivot, Accessible PCAP, Search into all network conversations
• Detect and connect threat conversations across the entire
network—from the Internet to the internal network
• ATLAS Intelligence Indicators
• Custom, third party intelligence
• Network behavior learning and policies
• Easy install and operation
• Be deployed and trained in a day

31
 Arbor Spectrum

32
THANK YOU

© 2016 ARBOR
® CONFIDENTIAL & PROPRIETARY 33
Twink
le