Invisible attacks visible in your network. How to see and follow the tracks?

Invisible attacks – visible in

your network. How to see and

follow the tracks?

Jochen Belke

- Regional Technical Director at Lancope, CISSP

Part 1

Invisible threat

Part 2

Network as a source of information

Part 3

Detection and telemetry

Part 4

Live Demo

Part 1

Invisible threat:

Anatomy of APT attack

Exploitation

• Obfuscated JavaScript code

• Weaponized pdf file

1

3

_{Comand and control}

• Blogs, well known web pages

2

Dropper

• xOR or Packer

IPS

4

_{Data Loss}

• Using outbound port 443 (SSL)

Malware propagation

5

DMZ

4

0

Reconnaissance

• Scanning

• Social engineering; Facebook, LinkedIn, etc.

• Dummy attacks, DDoS

FW DC Servers 1

3

5

DC Servers 2

1

2

Invisible threat:

Phase1 - Exploit

•

Web browser execute

obfuscated JavaScript

hidden in RAW html.

Invisible threat:

Phase1 - Exploit

•

The exploit has performed a

heap-spray

attack and exploits

vulnerability in web browser.

•

It has manipulating the memoryspace reserved for the

application and the files that it opens.

Invisible threat:

Phase 2 - Dropper

•

When the xOR decode key is applied, the random looking binary

now becomes a exectuable file and since the host is compromised,

it is easy to get this file to run.

•

Decoded (xOR) binary file. T

he decode key is contained within the

Invisible threat:

Invisible Techniques

•

Exploit

-

Obfuscated JavaScrpit code

-

Heap spray

-

Weaponized pdf file

-

Code injection

-

Process migration

•

Dropper (binary/executable)

-

xOR or Packer

•

CallBacks

-

Blogs, well known web pages

•

Data Loss

How to see invisible threats

and follow the tracks?

Part 2

Network:

The source of information

ASR-1000

Cat6k

UCS with

Nexus 1000v

ASA

Cat6k

3925 ISR

3560-X

3850

Stack(s)

Cat4k

Network:

NetFlow

NetFlow v9 160+ fields to choose from,

including IPv6 and payload sections

Network:

NetFlow

NetFlow has many versions

Version Major Advantage Limits/Weaknesses

V5 Defines 18 exported fields Simple and compact format Most commonly used format

IPv4 only

Fixed fields, fixed length fields only Single flow cache

V9 Template-based

IPv6 flows transported in IPv4 packets MPLS and BGP nexthop supported Defines 104 fields, including L2 fields Reports flow direction

IPv6 flows transported in IPv4 packets

Fixed length fields only Uses more memory Slower performance Single flow cache Flexible NetFlow (FNF) Template-based flow format (built on V9 protocol)

Supports flow monitors (discrete caches) Supports selectable key fields and IPv6 Supports NBAR data fields

Less common

Requires more sophisticated platform to produce

Requires more sophisticated system to consume

IP Flow Information Export (IPFIX) AKA NetFlow V10

Standardized – RFC 5101, 5102, 6313 Supports variable length fields, NBAR2 Can export flows via IPv4 and IPv6 packets

Even less common

Only supported on a few Cisco platforms

NSEL (ASA only) Built on NetFlow v9 protocol

State-based flow logging (context) Pre and Post NAT reporting

Missing many standard fields Limited support by collectors

Network:

Configuring Flexible NetFlow

1. Configure the Exporter

Router(config)#

flow exporter

my-exporter

Router(config-flow-exporter)#

destination 1.1.1.1

2. Configure the Flow Record

Router(config)#

flow record

my-record

Router(config-flow-record)#

match ipv4 destination address

Router(config-flow-record)#

match ipv4 source address

Router(config-flow-record)#

collect counter bytes

3. Configure the Flow Monitor

Router(config)#

flow monitor

my-monitor

Router(config-flow-monitor)#

exporter

my-exporter

Router(config-flow-monitor)#

record

my-record

4. Apply to an Interface

Router(config)#

interface s3/0

!

flow record CYBER_3KX_FLOW_RECORD match datalink mac source-address

match datalink mac destination-address

match datalink mac source-vlan-id

match ipv4 tos

match ipv4 ttl

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port collect interface input snmp collect

interface output snmp collect counter bytes collect counter packets

collect timestamp sys-uptime first

collect timestamp sys-uptime last

!

Network:

Router Flow Record configuration

match ipv4 tos

match ipv4 protocol

match ipv4 source address

match ipv4 destination address match transport source-port

match transport destination-port match interface input

collect routing next-hop address ipv4 collect ipv4 dscp

collect ipv4 ttl minimum collect ipv4 ttl maximum collect transport tcp flags collect interface output collect counter bytes collect counter packets

collect timestamp sys-uptime first collect timestamp sys-uptime last collect application name

Network:

Firewall (ASA) NSEL configuration

!

flow record CYBER_3KX_FLOW_RECORD match datalink mac source-address

match datalink mac destination-address

match datalink mac source-vlan-id

match ipv4 tos

match ipv4 ttl

match ipv4 protocol

match ipv4 source address

match ipv4 destination address

match transport source-port

match transport destination-port collect interface input snmp collect

interface output snmp collect counter bytes collect counter packets

collect timestamp sys-uptime first

collect timestamp sys-uptime last

Part 3

Defence: Anti-Virus, Firewalls

Viruses

Defence: Intrusion Detection & Prevention

Worms

Defence: Reputation, DLP, App.-aware Firewalls

Botnets

Strategy: Visibility and Context

Directed Attacks

(APTs)

(today)

ILOVEYOU

Melissa

Anna Kournikova

Nimda

SQL Slammer

Conficker

Tedroo

Rustock

Conficker

Aurora

Shady Rat

Duqu

Polar Bear

Observe

Orient

Decide

Act

Feedback

Feedback

•

Unfolding

circumstances

•

Implicit guidance

•

Outside information

•

Unfolding interaction

with environment

•

Cultural Traditions

•

Genetic Heritage

•

Analysis & Synthesis

•

New information

•

Previous Experiences

Unfolding interaction with

environment

http://en.wikipedia.org/wiki/OODA_loop

•

Nation-state? Competitor?

Individual?

Who?

•

What is the target?

What?

•

Is there a time when the attacker

is most active?

When?

•

Where is the attacker? Where are

they successful?

Where?

•

Why are they attacking – what is

their goal?

Why?

•

How are they attacking –

Zero-day? Known-passwords? Insider?

How?

Cisco Network

NBAR

NSEL

StealthWatch Labs Information

Center

Reputation Feed (Optional)

Detection:

Where to launch NetFlow?

Access

Catalyst®

3560/3750-X

Catalyst®

4500

Catalyst®

6500

Distributi on & Core

Catalyst®

4500

ASA ISR

Edge

ASR

Drilling into a Single Flow Yields a Wealth of Information

29

What to analyse:

• High number of flows • High client byte ratio

• One-way or unanswered flows • Flows within the subnet/host

group

• Flows to non-existent IP’s • Flow patterns

• Abnormal behaviour

Long and slow activity to discover resources and vulnerabilities

StealthWatch Method of Detection:

Concern Index High Traffic High Connections

Trapped Hosts

What to analyse:

• Countries • Applications

• Uploads/Downloads

ratio

• Time of day

• Repeated connections • Beaconing - Repeated

dead connections

• Long lived flows • Known C&C servers

Periodic “phone home” activity

StealthWatch Method of Detection:

Host Lock Violation Suspect Long Flow

Beaconing Host SLIC Reputation Feed

What to analyse:

• Historical data transfer

behaviour

• Applications • Time of day • Countries

• Amount of data – single and in

aggregate

• Time frames

• Asymmetric traffic patterns • Traffic between Host Groups

Data is exported off resource

StealthWatch Method of Detection:

Suspect Data Loss Alarm Intermediary resource used to

obfuscate theft

Discovered host answers and vulnerability exploited

What to analyse:

• High number of flows • High client byte ratio • Connections within the

subnet/host group

• Flow patterns

• Abnormal behaviour

StealthWatch Method of Detection:

Concern Index, Target Index Scanning Alarms

Touched Host

Worm Propagation Alarm Worm Tracker

Part 4