IT Security Operations Centres
How to Deal with Cyberthreats
Liviu Vâlsan
UK HEP SYSMAN, 2nd of June 2015
Global Computing ↔ Global Cyber Threats
- The past few years have seen profound changes in the underground economy and organised crime:
- Cybercrime is highly profitable
- Profits are to be earned globally
- With minimal risks
- Malware-as-a-Service
- Specialised markets → new areas of expertise → new opportunities
Cybercrime at Scale
- Interpol:
- Cybercrime is bigger than cocaine, heroin and marijuana trafficking put together
- 80% online crime connected to international organised gangs
- Most large attacks now target both Windows and Linux
- Significant impact for the HEP community
Exploit Kit Infection Chain
Source: Trend Micro
Commercial Exploit Kits
- Fierce competition between a handful of exploit kits (EK)
- Huge progress on time-to-market for exploits:
- Only hours/days before vulnerabilities are available in EKs
- CVE-2015-0311 and CVE-2015-0313 discovered as Flash "0-day" inside EKs
Source: Trend Micro
EKs: Detection of Antivirus and VM Products
Source: Trend Micro
EKs: File Obfuscation
Source: Trend Micro
Magnitude EKs: Malware-as-a-Service
(Magnitude EK - 31% of the market in 2014)
Source: Trustwave
Rig EKs Control Panel
Source: Trustwave
Email, the Leading Source of Compromise
- >90% of breaches caused by spear phishing
- Extremely effective:
- 10 emails = 1 click guaranteed
- Targeted phishing: ~70% success rate
- HEPiX Spring 2015: 9% click rate (good, technical audience)
Targeted Phishing Campaigns at CERN
- Since Dec 2014 CERN is victim of a targeted phishing campaign
- ~20 variants of the Geodo malware, not detected / blocked by any major antivirus:
- Constant evolution: Cridex, Feodo, Geodo, Dridex, Emotet, etc.
- Short email campaign ~6-8h maximum
- Antivirus vendor needs ~9-24h to detect
Anatomy of an IT Security Operations Center
- Centralized system dealing with the detection, containment and remediation of IT threats
- Ensures that security incidents are properly
- Identified
- Analysed
- Reported
- Actioned / defended
- Investigated
- Communicated
SOC Components
- Unified platform for data:
- Multiple data access / view patterns
- Command line interface
- Web based dynamic dashboards for querying and reporting
- Extensible, pluggable, modular architecture
- Data access control policies
Data Analytics
- Several data analysis patterns:
- Streaming
- Batch
- Interactive
- Statistical analysis, anomaly detection
- Data correlation and enrichment
- Easy integration of intelligence feeds
Alerting
- Real-time
- Rules-based
- Contextual
- Scoring system for alerts
- Automated reports
- Anomaly alerts
- Emphasis on quality and not quantity of alerts (reduce the number of FPs)
- Predictive modelling
Technology Goals
- Scale out, not scale up
- Integrated with the rest of the CERN IT ecosystem
- Use commodity hardware (as much as possible)
- Use cheap, massively-scalable storage (standard disk arrays)
- Deployment inside OpenStack (whenever possible)
- Configuration management done via Puppet
Technology Used at CERN
- Telemetry Capture Layer: Apache Flume
- Data Bus (Transport): Apache Kafka
- Stream Processor: Apache Spark
- Long-Term Data Store: HDFS
- Real-Time Index and Search: Apache Solr
- Visualization Platform: Hue
Data Sources (Telemetry)
- Netflow
- Bro Deep Packet Inspection Metadata
- Raw network streams
- Linux system logs
- Windows Event Logs
- Command execution logs
- Netlogs
- Web logs
- Single Sign On logs
- Other application logs...
Bro Capabilities
- Comprehensive logging of activity for offline analysis and forensics
- Port-independent analysis of application-layer protocols
- Support for many application-layer protocols including: DNS, FTP, HTTP, IRC, SMTP, SSH, SSL
- Analysis of file content exchanged over application-layer protocols, including MD5/SHA1 computation for fingerprinting
- Real-time integration of external input into analyses
- Support for IDS-style pattern matching
- Event-based programming model
External Data Sources
Data from External Sources used to Enrich and Correlate Data
- Network Database
- DHCP
- ARP tables
- DNS
- Active Directory
- Foreman
- Geo IP lookups
Collective Intelligence Framework
- Cyber threat intelligence management system
- Allows to combine known malicious threat information from many sources
- Common types of threat intelligence:
- IP addresses
- Domains
- URLs
- Hashes
Collective Intelligence Framework