Posts Tagged ‘SIEM’

Advanced Persistent Threats and Human Errors

November 20, 2011 1 comment

In these days many people are asking me what they can do to stop an Advanced Persistent Threat. Although security firms are running fast to develop new technologies to thwart these attack vectors (sophisticated SIEMs and a new breed of network security devices, the so called Next Generation IPSs), unfortunately I am afraid the answer is not so easy. I might spend thousands of words to figure out the answer, but I would not be able to give a better representation than this cartoon I found a couple of days ago in the Imperva Blog.

Intentional or unintentional the human error is always the first vector an Advanced Persistent Threat exploits to enter the organization: as a matter of fact all the APT attacks recorded in 2011 (and unluckily examples abound in the news), have a point in common: the initial gate which allowed the attack to enter, that is the user.

The last resounding example is not an exception to this rule: on Friday November, the 17th Norway’s National Security Authority (NSM) confirmed that systems associated with the country’s oil, gas, and energy sectors were hit with a cyber attack, resulting in a loss of sensitive information. If we look at the information available for this attack, it is really easy to find all the ingredients of a typical APT Attack: virus spread via malware-infected emails sent to “selected individuals”, sophisticated malware designed to avoid detection by anti-virus solutions, and, last but not least, sophisticated malware designed to steal information from the victim’s computer: documents, drawings, username and password.

So at the end which is the key to face an APT, before the technology itself is able to catch it? The answer (and the technology) spins around the user which is the first firewall, IPS, anomaly detector, who can stop an APT. Of course exactly like security devices must be configured to stop the intrusion attempts, analogously users must be configured educated not to accept virtual candies from strangers, hence acting as unintentional gates for the threats to enter the organizations. This often happens because of shallow behaviors or also because of behaviors in clear contrast with the internal policy (yes the infamous AUP). I use to say that security is a mindset, quite similar to distrust: you have it since you are naturally born with it, or you may simply be educated to embrace it.

Keep in mind the central role of the user inside the security process since 2012 will be the year of APTs… Would you ever buy (and heavily pay) an armored door for your home and give the key to people you do not trust?

Advanced Persistent Threats and Security Information Management

October 13, 2011 3 comments

Advanced Persistent Threats are probably the most remarkable events for Information Security in 2011 since they are redefining the infosec landscape from both technology and market perspective.

I consider the recent shopping in the SIEM arena made by IBM and McAfee a sign of the times and a demonstration of this trend. This is not a coincidence: as a matter of fact the only way to stop an APT before it reaches its goal (the Organization data), is an accurate analysis and correlation of data collected by security devices. An APT attack deploys different stages with different tactics, different techniques and different timeframes, which moreover affect different portion of the infrastructure. As a consequence an holistic view and an holistic information management are needed in order to correlate pieces of information spread in different pieces of the networks and collected by different, somewhat heterogeneous and apparently unrelated, security devices.

Consider for instance the typical cycle of an attack carried on by an APT:

Of course the picture does not take into consideration the user, which is the greatest vulnerability (but unfortunately an user does not generate logs except in a verbal format not so easy to analyze for a SIEM). Moreover the model should be multiplied for the numbers of victims since it is “unlikely” that such a similar attack could be performed on a single user at a time.

At the end, however, it is clear that an APT affects different components of the information security infrastructure at different times with different threat vectors:

  • Usually stage 1 of an APT attack involves a spear phishing E-mail containing appealing subject and argument, and a malicious payload in form of an attachment or a link. In both cases the Email AV or Antispam are impacted in the ingress stream (and should be supposed to detect the attack, am I naive if I suggest that a DNS lookup could have avoided attacks like this?). The impacted security device produce some logs (even if they are not straightforward to detect if the malicious E-mail has not been detected as a possible threat or also has been detected with a low confidence threshold). In this stage of the attack the time interval between the receipt of the e-mail and its reading can take from few minutes up to several hours.
  • The following stage involves user interaction. Unfortunately there is no human firewall so far (it is something we are working on) but user education (a very rare gift). As a consequence the victim is lured to follow the malicious link or click on the malicious attachment. In the first scenario the user is directed to a compromised (or crafted) web site where he downloads and installs a malware (or also insert some credentials which are used to steal his identity for instance for a remote access login). In the second scenario the user clicks on the attached file that exploits a 0-day vulnerability to install a Remote Administration Tool. The interval between reading the malicious email and installing the RAT takes likely several seconds. In any case Endpoint Security Tools may help to avoid surfing to malicious site or, if leveraging behavioral analysis, to detect anomalous pattern from an application (a 0-day is always a 0-day and often they are released after making reasonably sure not to be detected by traditional AV). Hopefully In both cases some suspicious logs are generated by the endpoint.
  • RAT Control is the following stage: after installation the malware uses the HTTP protocol to fetch commands from a remote C&C Server. Of course the malicious traffic is forged so that it may be hidden inside legitimate traffic. In any case the traffic pass through Firewalls and NIDS at the perimeter (matching allowed rules on the traffic). In this case both kind of devices should be supposed to produce related logs;
  • Once in full control of the Attacker, the compromised machine is used as a hop for the attacker to reach other hosts (now he is inside) or also to sweep the internal network looking for the target data. In this case a NIDS/anomaly detector should be able to detect the attack, monitoring, for instance, the number of attempted authentications or wrong logins: that is the way in which Lockheed Martin prevented an attack perpetrated by mean of compromised RSA seeds, and also, during the infamous breach, RSA detected the attack using a technology of anomaly detection Netwitness, acquired by EMC, its parent company immediately after the event.

At this point should be clear that this lethal blend of threats is pushing the security firms to redefine their product strategies, since they face the double crucial challenge to dramatically improve not only their 0-day detection ability, but also to dramatically improve the capability to manage and correlate the data collected from their security solutions.

As far as 0-day detection ability is concerned, next-gen technologies will include processor assisted endpoint security or also a new class of network devices such as DNS Firewalls (thanks to @nientenomi for reporting the article).

As far data management and correlation are concerned, yes of course a SIEM is beautiful concept… until one needs to face the issue of correlation, which definitively mean that often SIEM projects become useless because of correlation patterns, which are too complex and not straightforward. This is the reason why the leading vendors are rushing to include an integrated SIEM technology in their product portfolio in order to  provide an out-of-the-box correlation engine optimized for their products. The price to pay will probably be a segmentation and verticalization of SIEM Market in which lead vendors will have their own solution (not so optimized for competitor technologies) at the expense of generalist SIEM vendors.

On the other hand APT are alive and kicking, keep on targeting US Defense contractors (Raytheon is the latest) and are also learning to fly though the clouds. Moreover they are also well hidden considered that, according to the Security Intelligence Report Volume 11 issued by Microsoft, less than one per cent of exploits in the first half of 2011 were against zero-day vulnerabilities. The 1% makes the difference! And it is a big difference!

Information, The Next Battlefield

October 5, 2011 1 comment

Today the Information Security Arena has been shaken by two separate, although similar, events: IBM and McAfee, two giants in this troubled market, have separately decided to make a decisive move into the Security Information And Event Management (SIEM) market by acquiring two privately held leading companies in this sector.

As a matter of fact, nearly in contemporary, today IBM has officially announced to acquire Q1 Labs while McAfee was officially declaring its intent to acquire privately owned company NitroSecurity.

Although part of different tactics, the two moves follow, in my opinion, the same strategy which aims to build a unified and self-consistent security model: a complete security framework must not only provide information but also the intelligence to manage it, Information is power and Security is no exception to this rule.

But in order to be a real power, information must be structured and here comes the key point. Both vendors are leading providers of Network and Host Intrusion Prevention Solutions, heritage of the acquisions of ISS by IBM and Intrushield by McAfee and have hence the ability to capture security events from endpoints and networks: definitively they have the ability to provide the information, but they miss the adequate intelligence to correlate and manage it in order to make it structured.

This is completely true for McAfee that, (at least until today) lacked a SIEM solution in its portfolio and needed to rely on the SIA Certified SIEM Partner (Of course NitroSecurity was certified as a Sales Teaming Partner, the higher level). But in part this is also true for IBM that, despite the Micromuse acquisition and its troubled integration with Tivoli, was never able to became a credible player in this market, confined at the boundaries of the various (magic) quadrants.

Now they can make a decisive change to their positioning and also leverage a powerful trojan horse (the Information Management) to push their technologies to conquer new customers and market segments.

Is maybe a coincidence that another leader provider of SIEM solutions (ArcSight) is part of a company (HP) which also has in its portfolio Tipping Point (as part of the 3Com acquisition) a leader provider of Network IPS?

Event detection and event correlations (and management) are converging in the new Unified Security Model, general SIEM vendors are advised…

Violati i Server RSA

Stamattina mi sono svegliato con una di quelle notizie la cui eco rimbomberà per un bel pezzo nell’arena Infosec. Il blog di Sophos riporta difatti che la nota azienda di sicurezza RSA, specializzata in sistemi di autenticazione forte (in pratica da lei inventati) è stata vittima di un attacco informatico che ha portato alla sottrazione di alcune importanti informazioni.

La notizia è stata comunicata da RSA stessa mediante uno stringato comunicato sul proprio sito. Sebbene l’Azienda sia riuscita a rilevare l’attacco e abbia da subito rafforzato le misure di sicurezza, purtroppo non ha potuto impedire la sottrazione di preziose informazioni dai propri server tra cui alcune relative al sistema di autenticazione forte OTP a due fattori, RSA Secure-ID, che da anni costituisce la soluzione ammiraglia della Casa (che di fatto ha inventato l’omonimo algoritmo di crittografia asimmetrica). Chi di noi non ha mai utilizzato almeno una volta il piccolo quadrante con i numerini magici che cambiano ogni 10 secondi?

I dettagli dell’attacco non sono noti: RSA ha dichiarato di essere stata vittima di un extremely sophisticated cyber attack, ma sembra che alla base ci sia comunque un Advanced Persistent Threat, un attacco quindi estremamente sofisticato, portato su molti livelli e, probabilmente, avente l’utente come punto di ingresso (a questo link una ottima definizione della tipologia di attacco).

Come accennato in precedenza, il lato peggiore della vicenda risiede nel fatto che sembra siano state rubate anche alcune informazioni relative alla soluzione di autenticazione a due fattori. Allo stato attuale non ci sono notizie di possibili attacchi ai danni dei clienti (RSA produce la maggioranza dei token OTP presenti sul mercato utilizzati per gli usi più variegati: dalle transazioni bancarie all’accesso remoto di operatori), tuttavia:

this information could potentially be used to reduce the effectiveness of a current two-factor authentication implementation as part of a broader attack.

Ovvero i dati sottratti potrebbero essere utilizzati per mitigare l’efficacia dell’attuale sistema di autenticazione a due fattori all’interno di un attacco di più ampio respiro.

RSA fornirà presto ai propri clienti alcune raccomandazioni per rendere più sicura la propria infrastruttura di autenticazione a due fattori, nel frattempo, in collaborazione con la U.S. Securities and Exchange Commission ha pubblicato le seguenti raccomandazioni:

  • Aumentare il livello di sicurezza relativamente alle applicazioni di social media e all’utilizzo delle stesse (e di eventuali altri siti web) a chiunque abbia accesso a porzioni di reti critiche;
  • Utilizzare password complesse, corredate da PIN;
  • Utilizzare la regola del least privilege nell’assegnare ruoli e responsabilità agli amministratori di sicurezza (qualsiasi amministratore deve accedere al livello minimo di informazione indispensabile per effettuare la propria attività);
  • Educare gli utenti all’importanza di evitare mail sospette e ricordare loro di non fornire nomi utente o altre credenziali a nessuno senza averne prima verificato identità e autorità. Non fornire mai credenziali in seguito a richieste effettuate tramite mail o telefono e denunciare subito questi comportamenti;
  • Porre attenzione alla protezione dei repository Active Directory, utilizzando tecnologie SIEM (Security Information & Event Management) e autenticazione a due fattori per l’accesso agli stessi repository;
  • Monitorare attentamente i cambiamenti dei privilegi utente e relativi diritti di accesso utilizzando tecnologie di monitoraggio (ad esempio il già citato SIEM) e considerando l’aggiunta di livelli di approvazione manuale per questi cambiamenti;
  • Effettuare l’hardening, il monitoraggio attivo, e contestualmente limitare l’accesso fisico alle infrastrutture che ospitano informazioni critiche;
  • Esaminare le procedure dell’help desk alla ricerca di eventuali brecce di informazioni che possano implicitamente aiutare un attaccante ad effettuare un attacco di tipo social engineering;
  • Aggiornare sempre tutta l’infrastruttura di sicurezza ed i sistemi operativi con le ultime patch di sicurezza.

Ancora una volta nel corso del 2011 l’equazione APT=furto di informazioni si rivela tristemente vincente ed efficace. Non sono ancora trapelati dettagli sull’attacco ma, dall’analisi delle raccomandazioni fornite, si delineano alcuni tratti comuni: la “compromissione” dell’utente come punto di ingresso per la compromissione dell’infrastruttura. D’altronde se si analizzano le raccomandazioni fornite e le si confrontano con la morfologia dell’attacco Night Dragon, non trovate che siano perfettamente coincidenti con le vulnerabilità umane e tecnologiche sfruttate in quel contesto?


Get every new post delivered to your Inbox.

Join 3,686 other followers