IT Security Operations Centres
How to Deal with Cyberthreats

Liviu Vâlsan

UK HEP SYSMAN, 2nd of June 2015

Global Computing ↔ Global Cyber Threats

  • The past few years have seen profound changes in the underground economy and organised crime:
    • Cybercrime is highly profitable
    • Profits are to be earned globally
    • With minimal risks
    • Malware-as-a-Service
    • Specialised markets → new areas of expertise → new opportunities

Cybercrime at Scale

  • Interpol:
    • Cybercrime is bigger than cocaine, heroin and marijuana trafficking put together
    • 80% online crime connected to international organised gangs
  • Most large attacks now target both Windows and Linux
  • Significant impact for the HEP community

Exploit Kit Infection Chain

Source: Trend Micro

Commercial Exploit Kits

  • Fierce competition between a handful of exploit kits (EK)
  • Huge progress on time-to-market for exploits:
    • Only hours/days before vulnerabilities are available in EKs
    • CVE-2015-0311 and CVE-2015-0313 discovered as Flash "0-day" inside EKs

Source: Trend Micro

EKs: Detection of Antivirus and VM Products

Source: Trend Micro

EKs: File Obfuscation

Source: Trend Micro

Magnitude EKs: Malware-as-a-Service

(Magnitude EK - 31% of the market in 2014)

Source: Trustwave

Rig EKs Control Panel

Source: Trustwave

Email, the Leading Source of Compromise

  • >90% of breaches caused by spear phishing
  • Extremely effective:
    • 10 emails = 1 click guaranteed
    • Targeted phishing: ~70% success rate
    • HEPiX Spring 2015: 9% click rate (good, technical audience)

Targeted Phishing Campaigns at CERN

  • Since Dec 2014 CERN is victim of a targeted phishing campaign
  • ~20 variants of the Geodo malware, not detected / blocked by any major antivirus:
    • Constant evolution: Cridex, Feodo, Geodo, Dridex, Emotet, etc.
    • Short email campaign ~6-8h maximum
    • Antivirus vendor needs ~9-24h to detect

Anatomy of an IT Security Operations Center

  • Centralized system dealing with the detection, containment and remediation of IT threats
  • Ensures that security incidents are properly
    • Identified
    • Analysed
    • Reported
    • Actioned / defended
    • Investigated
    • Communicated

SOC Components

  • Unified platform for data:
    • Ingest
    • Storage
    • Analytics
  • Multiple data access / view patterns
    • Command line interface
    • Web based dynamic dashboards for querying and reporting
  • Extensible, pluggable, modular architecture
  • Data access control policies

Data Analytics

  • Several data analysis patterns:
    • Streaming
    • Batch
    • Interactive
  • Statistical analysis, anomaly detection
  • Data correlation and enrichment
  • Easy integration of intelligence feeds

Alerting

  • Real-time
  • Rules-based
  • Contextual
  • Scoring system for alerts
  • Automated reports
  • Anomaly alerts
  • Emphasis on quality and not quantity of alerts (reduce the number of FPs)
  • Predictive modelling

Technology Goals

  • Scale out, not scale up
  • Integrated with the rest of the CERN IT ecosystem
  • Use commodity hardware (as much as possible)
  • Use cheap, massively-scalable storage (standard disk arrays)
  • Deployment inside OpenStack (whenever possible)
  • Configuration management done via Puppet

Technology Used at CERN

  • Telemetry Capture Layer: Apache Flume
  • Data Bus (Transport): Apache Kafka
  • Stream Processor: Apache Spark
  • Long-Term Data Store: HDFS
  • Real-Time Index and Search: Apache Solr
  • Visualization Platform: Hue

Data Sources (Telemetry)

  • Netflow
  • Bro Deep Packet Inspection Metadata
  • Raw network streams
  • Linux system logs
  • Windows Event Logs
  • Command execution logs
  • Netlogs
  • Web logs
  • Single Sign On logs
  • Other application logs...

Bro Capabilities

  • Comprehensive logging of activity for offline analysis and forensics
  • Port-independent analysis of application-layer protocols
  • Support for many application-layer protocols including: DNS, FTP, HTTP, IRC, SMTP, SSH, SSL
  • Analysis of file content exchanged over application-layer protocols, including MD5/SHA1 computation for fingerprinting
  • Real-time integration of external input into analyses
  • Support for IDS-style pattern matching
  • Event-based programming model

External Data Sources

Data from External Sources used to Enrich and Correlate Data

  • Network Database
  • DHCP
  • ARP tables
  • DNS
  • Active Directory
  • Foreman
  • Geo IP lookups

System Architecture

Collective Intelligence Framework

  • Cyber threat intelligence management system
  • Allows to combine known malicious threat information from many sources
  • Common types of threat intelligence:
    • IP addresses
    • Domains
    • URLs
    • Hashes

Collective Intelligence Framework