Hacker: we can see you - getting through to security incidents
Transcript of Hacker: we can see you - getting through to security incidents
Hacker: we can see youGetting through to security
incidents Hinne Hettema
IT Security Team Lead, The University of Auckland
Cyber Security Lecturer, Unitec
Contents
• From incidents to groups: who’s behind our incidents?
• The advantages of ‘group data’ over incident data
• Predictive controls: why you need them
• Predictive controls: how to do them
• Conclusions
Hacking is only Human
• Behind all hacking and intrusion attempts stands a human intruder
• Humans hack for a reason
• Motivations related to a ‘threat stack’ – one way to categorise hacking attempts
Threat Stack (‘benign’ to ‘bad’)
• Experimentation
• Vandalism
• Hacktivism
• Cyber Crime
• Information warfare (example: denial of service, sabotage)
• Cyber espionage (state sponsored or private)
• Surveillance
• Cf. ‘Maslow’s hierarchy of [hacker] needs’
Threat stack is cumulativeThreat Motivation Very Rough Timeline
Experimentation Curiosity Late 1970s - now
Vandalism Web graffitiDestructiveShow off
1997 -
Hacktivism ActivismPolitical
2005 -
Cyber Crime Financial 2003 -
Cyber Espionage (APT) Intellectual Property theftPolitical
1995 -
Information Warfare(state sponsored or private)
Disruption in Manufacturing, Infrastructure, FinancialOverall Nation State disruptionMilitary disruption
2007 -
State sponsored ‘Advanced Persistent Threat’
Economic and Military PowerMilitarisation of cyberspace
2010 -
Surveillance Security industry (surveillance)Data passed on for competitive reasons?
2005 – (it probably happened)2013 – (we think we know about it)
Strategising the threat stack
• Tools and techniques move down the stack
• What was used for APT two years ago is now becoming common in cyber crime
• What was common in state surveillance is now a hacker tool (BadUSB)
• Hence it makes sense to ‘design defences for the bleeding edge’
Lose sleep here…
• Rapid accumulation of threats
• Fragmentation of incidents
• More sophisticated incidents
Assume compromise
• PWC (2011) ‘A New Philosophy for Cyber Security’
• Philosophy’s all well and good, but what do we do?
• Sharing some of our experiences over 2014 with looking at ‘groups’ instead of ‘incidents’
Incidents
• Are ‘one-offs’
• Are dealt with tactically – i.e. you do what you always do and do it well
• Can be opened and closed
Hacking ‘groups’
• Cluster around a motivation
• Are persistent and generate many ‘incidents’ per group
• Have a more or less defined, but evolving, Modus Operandi
• ‘Modus Operandi’ consists of tactics, technical toolset, business model, discovery techniques, hosting, alliances
• Modus Operandi is relatively stable!
• Are dealt with strategically – i.e. anticipate and react pre-emptively
Some speculation
Such groups possibly
• Visit many organisations in a market segment (they ‘specialise’ on a single market segment – i.e. tertiary education)
• Move up from small and simple to large and complex
• Share knowledge and tactics with each other
• Divide up the landscape of victims?
• ‘Hand over’ targets to rival groups in exchange for something else?
Unpacking the Modus Operandi
• Because they are persistent, they will use something like a ‘kill chain’, a model or strategy for their attacks
• They’ll use the same or similar tools and strategies for identical stages in the kill chain in differentincidents
• They have a business model – you can follow the $$s and work out what it is
Why follow the money?
• The Underground Economy is important
• If you understand the business model of a group you can defend against it (by fouling it up)
• Their $$s are usually your loss or your customers’ loss, so this cuts both ways
• Business model lets us focus on what is stable in a series of incidents – the attackers usually want the same stuff all the time
‘Incident’ally: The Kill Chain
• Discovery
• Weaponisation
• Delivery
• Exploitation
• Installation
• Command and Control
• Actions on objectives
• [Optionally] Target Destruction
Key consequences of the kill chain
• ‘Incidents’ look complex: different methods and tools used in different phases
• Most people only pick an incident up in the ‘Target Destruction’ phase:
• Fake AV
• Cryptolocker / Cryptorbit
• TOR Exit nodes
• DDoS traffic exiting the network
• ‘It no longer works’ or ‘Something funny’
Progress of an attack: Complex!
A
B
C
P(Loss)
Time
Initial
Exploit
Tools
Available
Transition
to other
AttacksResidual
Attacks
Incidents: Verizon Report 2014
Consequence of complex incidents: we are LOSING
• More than 75% of systems compromisedwithin a timeframe of ‘days or less’
• Less than 25% of these systems are discoveredin ‘days or less’
• And the gap grows
Short Summary
Many people only discover they’ve been hacked
• AFTER the attacker has achieved their objectives
• AFTER the attacker has started wrecking the place
hence
• AFTER the damage is done
The key question
What if we could detect an attack at the
• Reconnaissance phase
• Weaponisation phase
• Delivery phase
Rather than at the Target Destruction phase?
We could
• Trick the attacker by diverting them mid-attack
• Watch them in action and discover their tactics
• Add to our arsenal of ‘malware tools still to analyse’ (but so little time…)
• Waste their time
• Warn other victims in time
All this can be done
• Picking up discovery is not that hard – you probably already have the data
• Picking up weaponisation is not that hard – you probably already have the data
• […]
There’s just so much of it
• Knowing about the groups that try to attack you over and over gives perspective to the data
• And also lets you search very effectively
AMBER
Recipients may only share TLP: AMBER information with members of their own organisation who need to know, and only as widely as necessary to act on that information.
Will NOT be in distributed slides!
Trends
• Attacks are getting smaller
• Attacks are getting more sophisticated
• ‘Cloud’ adds complexity to everything (it is easy to hide in clouds)
• Harder and harder to take an ‘incident view’ of security
• A ‘bad guys out’ strategy does not work
Next Generation Defence
• ‘Groups’ are more stable than incidents
• Can be followed over time
• Groups have a business model which does not vary a lot over time
• Business model can be attacked as part of defence
• Attacks from ‘groups’ can be predicted if you know what you’re looking for
Key business elements
• Get your data sharing and takedown channels sorted prior to an attack
• Partner with ‘competitors’ – in cyber defence, they are your friends and fellow victims
• Understand the value of your data in the context of your attackers’ business model
Key technical elements
• Implement aggregated and NoSQL accessible logging for everything
• Flexible control over filters on incoming email / web
• Canary accounts
• Security team must own discovery and attack infrastructure somewhere in the cloud prior to an attack
• Do a lot of active egress monitoring (ingress attacks now mostly automated and largely uninteresting)
• Collect incident artefacts
Extra: References and Reading
• PWC report from 2011: Are you compromised but don't know it? A New Philosophy for Cyber Security: http://www.pwc.com/us/en/forensic-services/publications/are-you-compromised.jhtml
• Eric M. Hutchins, Michael J. Cloppert, Rohan M. Amin, Ph.D.: Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains: http://www.lockheedmartin.com/content/dam/lockheed/data/corporate/documents/LM-White-Paper-Intel-Driven-Defense.pdf