Defend-Against-Next-Gen-Attacks-with-Wire-Data-by-Pete-Anderson.pptx

adrianitoterremoto 10 views 45 slides Mar 08, 2025
Slide 1
Slide 1 of 45
Slide 1
1
Slide 2
2
Slide 3
3
Slide 4
4
Slide 5
5
Slide 6
6
Slide 7
7
Slide 8
8
Slide 9
9
Slide 10
10
Slide 11
11
Slide 12
12
Slide 13
13
Slide 14
14
Slide 15
15
Slide 16
16
Slide 17
17
Slide 18
18
Slide 19
19
Slide 20
20
Slide 21
21
Slide 22
22
Slide 23
23
Slide 24
24
Slide 25
25
Slide 26
26
Slide 27
27
Slide 28
28
Slide 29
29
Slide 30
30
Slide 31
31
Slide 32
32
Slide 33
33
Slide 34
34
Slide 35
35
Slide 36
36
Slide 37
37
Slide 38
38
Slide 39
39
Slide 40
40
Slide 41
41
Slide 42
42
Slide 43
43
Slide 44
44
Slide 45
45

About This Presentation

Extrahop

Size: 9.18 MB
Language: en
Added: Mar 08, 2025
Slides: 45 pages

Slide Content

Defend Against Next-Gen Attacks with Wire Data Pete Anderson Senior Systems Engineer, ExtraHop

My Background Transplant from the frozen north (Chicago) University of Illinois, Urbana-Champaign 15+ years as a systems engineer in the visibility space

Wire Data as a Rich Information Source “Wire data — radically rethought and used in new ways — ...will prove to be the most critical source of data for availability and performance management over the next five years.”* Gartner Research Note *Source: Gartner, "Use Data- and Analytics-Centric Processes With a Focus on Wire Data to Future-Proof Availability and Performance Management," Vivek Bhalla and Will Cappelli , March 10, 2016

NPMD: Responding to Security Breaches Gartner report titled, Network Performance Monitoring Tools Can Play A Critical Role In Responding to Security Breache s , licensed for distribution and available for download at: https:// www.extrahop.com / lp / npmd -respond-to-security-breach-direct/ Link:

2016 Revisited The continued emergence of the “Human Vector” 7.3% of users are successfully phished (Execute Malicious Attachment) Social media (43% of breaches are social) feeds intelligence Ransomware made over $1B in 2016, variants grew by 30X IoT exploited as an attack vector Google Word Interest for “ Ransomware ”

Shortage of InfoSec Talent

Security as a Strategy It’s a discipline, not a destination. Define a strategy, but continually refine. Identify areas that pose highest risks. Identify sensitive areas of the network. Minimize attack surface. Know your network better than your attackers. Design an incident response plan. Tool selection should be strategic, not tactical.

Key Security Initiatives for 2017 The need to simplify security Rethink existing tools and methods Engage in and embrace orchestration/automation Embrace APIs Thread Cyber Threat Intelligence (CTI) into your Security Apparatus Cyber Insurance has become a principal part of business’ protection strategy Stop waiting for the bad actors to come to you, actively seek them out (Threat Hunting)

Everything Transacts On The Network It's a rich, underutilized source of real-time business, security, application, network, and operations data. Security Data Business Data User Experience Data IoT Data Infrastructure Data Client Data Network Data Application Data

Questions a Security Professional Must Ask Which devices are really talking to each other? What is in my data? Can I track the movement of sensitive information around the network? When did things change? Can I quickly identify if something has changed, and then figure out why, or at least who I need to ask? How should I respond? Can I easily find out how widespread an incident is and where to start? Are my controls working? Can I verify firewall rules against reality and provide auditors with records of observed activity? Where is my data going?

Why Wire Data? Not all systems log effectively The quality of logs depend on the developer of the application Events of interest may not get logged at all. Once a system is rooted, logs are routinely shut off and/or deleted IoT devices (usually) don’t have any logging capability

NSA’s worst nightmare: "One of our worst nightmares is that out-of-band network tap that really is capturing all the data, understanding anomalous behavior that's going on, and someone's paying attention to it. You've gotta know your network. Understand your network, because we're going to." — Rob Joyce

Why Wire Data: continued When bad actors worked in days, you needed to react in hours When bad actors worked in hours, you needed to react in minutes When bad actors worked in minutes, you needed to react in seconds Bad actors now work in seconds, you need to react in milliseconds HOW? Wire Data observes at the microsecond increment Wire Data acts at the Millisecond increment

A world of Microseconds: Human/SIEM vs Malware

A world of Microseconds: Wire Data vs. Malware

Breaches are Inevitable They key: Detection Time “According to research firm Gartner, the average lag time before a breach is detected is a shocking 205 days.” “It’s no longer a question of whether a company will be attacked but more a question of when.” “[Companies] need to broaden their focus, develop new measures like cyberrisk tolerances and such innovative monitoring techniques as key performance indicators.” -Business Insider, July 2016

Anatomy of a Breach User receives malicious email. User clicks something, initiates malware & C2 Network is surveyed, credentials are stolen Sensitive data is collected. Data is exfiltrated . ICMP & TCP HTTP SSH FTP Evil Target Host SMTP Mail server LDAP MySQL Database DNS

Data Exfiltration and C2 via DNS According to the 2016 Cisco Annual Security Report, approximately 69% of organizations today don't monitor or control recursive DNS traffic. Attackers love this visibility gap and Cisco reports that 92% of malware today uses DNS to establish C2 communication, exfiltrate data, or redirect traffic. Source: http:// www.darkreading.com /threat-intelligence/ wekby - pisloader -abuses- dns /d/d-id/1325729

DNS Tunneling Used by Malware for C2 Wekby’s pisloader is a great example. Source: http:// researchcenter.paloaltonetworks.com /2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/

No trace of the breach other than: ATM’s camera footage of the mule A single line in the ATMs’ log file https:// motherboard.vice.com / en_us /article/ atm -hack- russia -disappearing-malware

“ Fileless ” Attacks “A non-malware attack is one in which an attacker uses existing software, allowed applications and authorized protocols to carry out malicious activities. Non-malware attacks are capable of gaining control of computers without downloading any malicious files, hence the name. Non-malware attacks are also referred to as fileless , memory-based or “living-off-the-land” attacks.” Runs in RAM Uses native tools C2 over DNS Undetectable by traditional antivirus https:// threatpost.com /new-fileless-attack-using-dns-queries-to-carry-out-powershell-commands/124078/ https:// www.carbonblack.com /2017/02/10/non-malware- fileless -attack/

Everything Transacts on the Network … even the bad guys Multiple L7 protocols Various behaviors (north-south, east-west) and data exchanged Detection at the micro-second level SMTP HTTP SSH ICMP & TCP LDAP FTP MySQL Evil Database Mail server Target Host DNS

Port Scanning Detection Use trend-based alerts and / anomaly detection to identify port scans, even if they are performed slowly.

Authentication Monitoring Track privileged user logins Ensure applications are using approved authentication methods Record every failed and successful logins across all systems Store historical data to simplify audit reporting and enable investigation

FTP Audit Log Identify and alert on any anomalous FTP activity and follow every action.

Traffic Blacklisting Set rules and alerting for undesired communication. Known-bad IPs (threat intelligence feed) Geographic lookup Policy violation!

DNS Tunneling Detect DNS tunneling activity based on behavioral analysis multivariate scoring process.

IoT -initiated DDoS 2016: The year menaces multiplied https:// www.theguardian.com /technology/2016/ oct /26/ ddos -attack- dyn - mirai -botnet

IoT : 20 Billion Connected Devices by 2020 No logging, no agents, no instrumentation … who’s ready? 2016 6.4 billion connected things in use worldwide, up 30 percent from 2015 5.5 million new things will get connected every day 2020 20.8 billion connected things in use worldwide Internet-connected devices will outnumber people by at least 2:1 Source: Gartner, November 2015, http://www.gartner.com/newsroom/id/3165317 2012 1.3 billion connected things in use worldwide People outnumber connected devices by roughly 5:1

The IoT Calamity Mirai was just the start Static Credentials Millions will be sold AGAIN this December No strategy for patching No logs, no agents, no MIBs The individuals responsible for securing IoT are not hardened IT war horses like some industries

Medical Devices: Healthcare’s Vulnerable IoT “ … there are so many easy targets. More than 36,000 healthcare-related devices in the US alone are easily discoverable on Shodan ” https:// www.wired.com /2017/03/medical-devices-next-security-nightmare/ "The combination is concerning," he notes. "Attackers are leveraging legacy malware-spreading tools that bypass a lot of today's operating systems and target older systems."

Healthcare IoT (Medical devices) Telnet example

Targeted Anomaly Detection Create a whitelist of users or devices allowed to access specific databases, get notified about unauthorized access Set a threshold for normal application traffic activity Alert on increased failed login attempts for devices that provide access to sensitive information App A: Assets App A: Data Remote Workers New Model: Micro-Perimeters Unauthorized Client Policy violation!

Ransomware Activity over Time Ransomware has unquestionably become the most successful /destructive malware type to date. https:// www.troyhunt.com /everything-you-need-to-know-about-the- wannacrypt - ransomware / Word Interest for “ Ransomware ”, according to Google.

WannaCry : Why Was it Unsuccessful?

Attacker Ransomware Detection Mail Server Client Client Client SMTP HTTP CIFS CIFS Client File Server Check for known file extensions that are commonly associated with ransomware attacks Create a file extension “whitelist” to uncover potential attacks Set a threshold for normal WRITE activity Detect instructional files typically associated with ransomware variants that are left behind during an attack

Machine Learning: The Next Generation Machine learning is becoming a requirement, not “nice to have” Machine learning will have a big impact on IT Operations & Security

ExtraHop Addy The first machine learning platform for wire data Always-on, Always Learning Continuous baselines for every device, network, and application The service continuously improves its accuracy Superhuman IT Vision Cross-correlate events related to the anomaly Reduce risk by identifying security events More Productive IT The power of machine learning in their hands Makes proactive remediation easier

Addy Gives ExtraHop a Voice Select time period to see associated anomaly events Contextual links back to the entity and anomaly Context to quickly understand the anomaly Filter anomalies by protocol and source Addy understands your existing application definitions

Thank You!

Solving the Data Gravity Problem How to Apply Cloud-Based Machine Learning to the Richest Dataset Raw Network Packet Data High volume Low signal-to-noise Unmanageable Real-Time Stream Processor Machine Learning in the Cloud Always-on Analyze large datasets Scalable resources Structured Wire Data Low volume, portable High signal-to-noise ratio Contextual, real-time, definitive

Integration / Automation is the Key Integrate with both perimeter and micro-segmentation firewall APIs or other NAC solution such as Cisco ISE. Alternatively, populate event data to a Slack Channel or ServiceNow Event tracking.

SIEM Integration Proactively Assess Actual Risk Profile Simplify Compliance & Audit Detect & Respond Faster Integrate with Security Infrastructure User behavior Application behavior System behavior Data behavior Network behavior Open Data Stream Big Data lake for security ExtraHop Stream Analytics Platform Unstructured network packets

Public Cloud: Azure & AWS Deploy in Any Environment Datacenter 1 ExtraHop Datacenter 2 ExtraHop Internet Branch 1 Branch 2 Branch 3 Branch 4 ExtraHop Command ExtraHop ExtraHop EDA 1100 EDA 1100 EDA 1100 EDA 1100 ExtraHop Branch Offices Multiple Datacenters
Tags
Categories
Technology
Download
Download Slideshow Get the original presentation file
Quick Actions
Statistics
  • Views 10
  • Slides 45
  • Age 271 days
Related Slideshows
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx 11
8-top-ai-courses-for-customer-support-representatives-in-2025.pptx
JeroenErne2
48 views
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx 10
7-essential-ai-courses-for-call-center-supervisors-in-2025.pptx
JeroenErne2
47 views
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx 13
25-essential-ai-courses-for-user-support-specialists-in-2025.pptx
JeroenErne2
37 views
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx 11
8-essential-ai-courses-for-insurance-customer-service-representatives-in-2025.pptx
JeroenErne2
35 views
Know for Certain 21
Know for Certain
DaveSinNM
23 views
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx 17
PPT OPD LES 3ertt4t4tqqqe23e3e3rq2qq232.pptx
novasedanayoga46
26 views
View More in This Category