2014 Converge Detroit: Looking for the Weird
The 2014 Converge Detroit conference did exactly that; it brought together business professionals, developers and hackers in the information security industry for two days of keynotes, sessions and networking at the COBO Center in Detroit, Michigan.
Looking for the Weird: Catching Breaches with NBAD
Speaker: Charles Herring, Consulting Security Architect, Lancope
This talk covered network behavioral anomaly detection (NBAD) based on network metadata from NetFlow. This type of metric-centric information collection cares only about the quantities of communications - syntax - in order to detect and report on possible attacks using geographic anomaly detection, signature and boolean detection, service thresholds, and more.
[Wiki defines Netflow as a feature introduced on Cisco routers that give the ability to collect IP network traffic as it enters or exits an interface]. Charles listed a few commercial solutions that included Arbor PeakFlow, IBM Qradar, Invea-Tech FlowMon, Lancope StealthWatch and many others.
Using histogram-based technology, it produces specific subsets of data that help administrators and organizations at large to detect anomalous network behavior that can inform them of a potential breach.
Network Detection Methods
He covered the different types of network detection methods, including:
- Signature-based detection - inspects objects that enter a subject: IPS (Intrusion Protection System), antivirus, content filters
- Behavioral - tracks victim behavior against blacklist: malware sandbox, NBAD/UBAD, HIPS and SEIM
- Anomaly - inspects victim behavior against whitelist: NBAD/UBAD (diff degrees of anomaly)
When comparing detection methods, he found that signature-based detection was best used for known exploits; behavior for zero-day exploits and anomaly for credential abuse.
With NBAD signature detection, there’s segmentation enforcement, that is, it dictates that certain machines shouldn’t ever be able to communicate with certain other machines. There’s also policy violations that detect users that may try to bypass or obfuscate their communications, and it’ll alert you when someone is violating the policy. While signature-based NBAD is easy to set up, provides deep visibility and certainty can be established, it also only detects known threats.
Boolean detection tracks known methods of attack, while teaching the system and allowing it to do the workflow. One challenge with boolean detection is that you need to know what ‘bad’ means, that is, a pre-determined profile of a threat. Another challenge is this type of detection is reliant on reliable data sources.
Anomaly detection is measured off of a baseline, what is defined as normal. Once normal is calculated, normal can change according to the different baseline activity detected; measurement is all about how far off an anomaly deviates from the normal. Using major computational work and massive data collection/processing, anomaly detection can catch more sophisticated, unknown and targeted threats.
Some of the different anomaly types include:
- Service Traffic Threshold Anomaly - checks traffic over time Service Type Anomaly - tracks major shifts in service profles (i.e., https)
- Geographic Traffic Anomaly - records geoIP data and reports on shifts in traffic in countries you may not normally deal with (spikes of traffic in unusual locations)
- Time of Day Anomaly - checks the influx of traffic during a certain time
- Geographic User Anomaly - tracks a user’s location (i.e., if a user is located in different locations over a short period of time, this could be anomalous due to the inability to time travel)
- Data Hoarding & Disclosure - tracks data that leaves the network, with hosts sending certain types of information (i.e., healthcare data) out to insecure hosts (Dropbox)
NBAD Data Breaches
Charles then gave a great analysis of some anonymous NBAD data breaches from different industries. One was a healthcare breach that resulted in patient data sent to East Asia. As a state-sponsored breach, petrabytes of patient data were leaving the mainframes.
Social engineering was the impetus for the mass data theft - a network administrator was attempting to sponsor his event on LinkedIn. The attackers found him on LinkedIn, somehow broke into his charity website, pulled a registration list and then sent spoofed emails to the administrator. Attached was an Excel spreadsheet with real attendee data, as well as keylogger malware.
While the administrator was logging into routers and switches, his credentials were sent to the attacker. The attacker then set up a control panel between them, and effectively built new routes around the firewalls, making sure to encrypt the data as it was being stolen. The threat was detected with NetFlow, using geographical anomaly detection that showed a major and unusual spike in traffic from East Asia.
Prevention vs. Detection
The only issue with this type of detection is that it happens after the fact - a better security solution can help prevent an attacker at the stage in which he/she used stolen credentials to set up a control panel and get access to the environment. Two-factor authentication stops remote attacks, particularly with out-of-band authentication method using a mobile app and secure push notifications.
Another data breach involved cardholder data being sent to Eastern Europe - using geographic traffic anomaly, they were able to track FTP uploads off of servers. The attackers conducted a Coldfusion exploit of a payment web server, recoded the application, staged the data on the server and uploaded it to an FTP server located in Eastern Europe.
One agriculture industry breach he referred to was the theft of intellectual property to East Asia, specifically, a state-sponsored attack to steal food production intellectual property (a recipe). This was achieved via a reset password spear phishing attack - an email with a link was sent to the victim.
Attackers then logged in via VPN, took over monitoring servers, inventoried what was on the network, then scanned and found data stores on the network. They started staging data and directly exfiltrated the data via SSH.
Using a combination of geographic traffic and geographic user anomaly, they were able to detect that data was being sent to East Asia. Again, another case in which two-factor authentication integrated with VPN logins could have prevented remote attacker entry. Read more in Two-Factor Authentication for VPNs.
The full set of slides from Charle's presentation can be found on his site, f15hb0wn.com.
Charles Herring, Consulting Security Architect, Lancope
Charles started his career in InfoSec in 2002 as a network security analyst and network security officer within the US Navy. He has labored as a network security product tester for InfoWorld Magazine, led a technology consulting firm and currently serves as Consulting Security Architect for Lancope.
Charles spends most of his time consulting with Fortune 2000 companies in the Midwest US on detecting and mitigating advanced, sophisticated attacks that leverage 0day exploits and insider threats.