Understanding Advanced Threat Detection: Insights from F-Secure's Cybersecurity Webinar

hello everyone and welcome to today's session my name is Marco finck and I will be presenting today I work as a

director of advanced red protection in F secure I've been working for the past 5 years in multiple initiatives where we

bring out new set of Technologies and services especially for company environments during the past two years

we've been focusing on bringing out a new set of Technology is especially meant to catch Advanced human attackers

and that will be on our agenda today a few practical matters a regarded version of this webinar will be available

afterwards and we'd absolutely love to hear from you so if you have any comments feel free to post them online

and there will be Q&A in the end as a reminder we are running a series of webinars touching each major

area of the holistic 360 view in the cyber security consisting of four main areas where we focus on prediction

prevention detection which is on the agenda today and also the response and finally there's the gray layer on on top

of all of these areas and this refers to requirement of proper management of the whole 360 cyber security and we have

actually run already two webinars so if you haven't checked those out feel free to do so

uh you'll find them from our business security Insider web pages about the agenda today so I will

be briefly talking about thread landscape and what's interesting in there what's happening in the compan is

highlighting few Trends then talking about the attacker mindset approach to detection uh how attackers operate and

then I'm going to make few deep dives into the detection Technologies and especially focusing on the demistifying

of machine learning because it seems to be the kind of the real unicorn in the market today then I'm going to explain

the man and machine approach which is required and I'm going to give you lots of tips for instance what to measure and

ending with dos and don'ts and of course the questions and answers and what can you expect from

this so if you happen to be a techie I will give you quite a lot of pointer to what actually look after when you are

building yourself a detex and response capabilities and if you happen to be a chief information security officer I

will G be giving a lot of tips for you as well so let's start by looking what's

happening on the thread landscape what is really interesting from our point of view and it should be interesting for

you as well we see a lot of new APD discoveries and APD is a sort for advanced persistent threat we do see new

nation state activities as well as criminals I think most of these are actually criminally introduced attacks

but we still see quite a lot of nation state activities as well and those who don't know the news fsq we actually do

more real criminal investigations in Europe than anybody else and we do a lot of incident response cases so I will be

dropping quite a lot of tips what to look for uh we is we fing campaigns on the

rise this is still the most typical way for you to get uh hacked uh we do see increase in zero days but that's kind of

a reminder is that zero days is not your primary problem the primary problem is the existing vulnerabilities where you

already have a patch available because these are the ones that most probably are going to get you hacked but we do

see more zero days and the life cycle for one zero day is getting shorter and shorter when it comes to exploit kits uh

roughly 75% of the websites are at risk so they run they run vulnerable software why does it matter for advanced threats

because this can be used as a stepping stone for instance to launch attack against your organization by utilizing

that legit website as the stepping stone and most of the internet spam today is ransomware so as a kind of comforting

thought if you're seeing a lot of ransomware and if it's a nuisance for you well it's nuisance for everybody

else and the only way that this is going to go away is that we SU somehow manage to remove the

financial kind of goal that the attackers have when they launch these rware campaigns and I'm not seeing that

going away anytime soon so what's happening in the companies just to highlighting few key

trends uh this is what GNA is predicting so the by 2020 60% of the information security budget will be allocated to

Rapid detection and response approaches and this is actually something that we see as well quite a lot so they simply

ain't that many consoles in Bas in organizations today to actually see when and if something slips past the

preventive layers and in Europe of course we have preparations for the general data

protection regulation and by the way if you would like us to discuss about this more because we have been following this

very closely putas comment and we will most probably run a webinar about this so what is what does it mean for you

inside the companies so let us know but all right let's start our Deep dive by first understanding the attacker

mindset the attacker when they go after your company they have a goal they are goal oriented and they will choose the

path of least resistance and if you first start by looking at Cloud I think this will be a kind of interesting topic

for you especially in the future because I know that many of the organizations today yours included will be

digitalizing their customer facing services and investing into this cloud services a lot more in the future and

the number one thing is that the identity is or has already become the new attack surface so whether we talk

about targeting the company directly by for instance trying to F the usernames and passwords for the

administrators or ATT Haack in the end uses for fraud but this happens a lot and fishing is the most common way of

this happening uh there are also other targets that the attackers include uh the number one is application Level

vulnerabilities and exploiting those ention SSH keys and certificates and these kind of go hand in hand uh one of

the emerging area that you may want to check is the user and entity Behavior analytics and I actually have a link in

the end uh today I will be mostly focusing on the Intel network but I kind of

recognize that most of you are already purchasing for instance infrastructure as a service so this kind of applies

also for the cloud as well so the most common ways for you to get hacked is via fishing and exploit that's the kind of

the path of the leas res resistance and we do see quite a lot of single shot attacks ransomware is a good example but

we also see a lot of persistent attacks and one of the common nominators in these are the use of

common system internals like Power Cell Windows management instrumentation service commands and so

forth the use of common remote admin tools or rats and hacking tools like orus light manager Luminosity link and

mimic ads and if you think that okay well we have network based ideas so we only need to um detect the command and

control traffic so these are getting more and more clever for instance hiding inside Office 365 Gmail https and so

forth and it's getting more and more tricky to actually detect this from the network level

only and one tip look especially at non- malare techniques and internal Network traffic so let's start by looking at how

the attackers operate and what they are after like I mentioned the goals are very clear so what do they actually want

to achieve and this we can put in the two different categories whether the attacker is after data or they are after

controlling a certain uh critical capabilities and this can be actually

that if you talk about the data it can be customer data emails intellectual property and so forth just to give you a

one tip in in here if I would go after your data now would I directly go after your servers to get the data well most

likely not so so what every company have which is in common is that you take backups the qu direct question to you is

that how many do you actually know and can trust the security of your backups just to kind of give you the first tip

in here it might be that the attacker is after the control of certain capabilities the good example is the

Swift attacks gaining access to money transfer systems which tend to be normal pieces 0 M energy grids iot well it it

will be the big thing in the future especially using iots as to gain the initial footo hold in the system and

Ransom way is a good example as well but what is actually very important to understand is that how does this

actually happen so how does a successful Advanced attack happen it usually starts with sphere fing campaign use document

with power cell payload or you might utilize an exploit kit when the link is clicked and then establish persistant by

dropping a simple remote cell back door or you might actually go for the remote Administration tool approach use system

internals for lateral movement hacking tools to dump passwords when hunting for admin accounts once the attacker has

admin accounts then it's basically G over for the defender and usually during that point they are already accessing

the data or taking control of the critical capabilities and the most critical thing

in here to understand is the moment when the attacker gains the initial foothold and there are again

three very important things to look after like I mentioned user credentials identity being the new attack

surface uh and one tip in here is that make sure that what whenever this happens because

it will happen the attacker cannot for instance stump your whole customer database so start by making this more

difficult for instance using proper two Factor authentication always and so forth especially for the critical

accounts then you want to look at operating environment especially the initial moment when the attacker sneaks

in the back door uses the remote cell uses malware to elevate to or from user to admin and so on and it's very well

known that all of these activities of course happen at the end point then we of course have the lowlevel operating

system more exotic attacks like bad USB touring bios firmware and all forms of root

kits but to give you some tips what to look for so think about the attacker when they are doing something inside

your system they're going to leave Footprints and there are five different areas that you want to look at you want

to look for user level Footprints you want to look at what happens in the application Level because Mal it's just

an application so is back door and so is for instance remote Administration tools you want to look what happens in the

network level and especially internal Network traffic and then what happens in the operating environment like a

mentioned system internals remote it it admin tools and then also the low level so you want to actually check that how

much visibility do you actually have today when it comes to these activities and start from there

now if we take a look at the detection technology we can roughly put this into two different

categories uh number one is that where we find known Badness and number two is where we find unknown Badness so

something that we don't even know but look for and if I start from the category number one is that it we look

for non bad behavior and this can be Mal and it can actually be non malare so we can look at both and one common examples

are the expert system and this is actually something that we have mastered for a long period of time and the common

way to apply this is behavioral rule engines we have ioc's indicators of compromise and symbol

signatures and then you can always ask okay is signatures dead well I would say that if you primarily use them for

detection then it's dead but there are many other ways that you can actually utilize it good example is that if we

drop a sensor to an endpoint what we actually do is what we call RSE white listing so we use our signature database

and we can immediately kind of rule out 99.9 something percent of the clean

files from that system so if there happens to be a rat a potentially unwanted program hiding there if it's a

file based malware it will sign like a Christmas tree so there's still quite a lot of uses for signatures and file

hashes uh then we have the second category where we actually find unknown Badness so something that we don't even

know and we find this by looking at deviances from any known good behavior and again this can be malware or non

malware and examples are machine learning or ML and then statistical modeling uh tip in here for the audience

um question that I get asked a lot is why not to invest to blocking Technologies only and why to use

reactive technology and approach for detection and response now if you go against Advanced

attacker they would get immediate feedback whether or not they are successfully gaining initial foothold

and you're going to giving this initial feedback uh we've seen examples where the attacker has used for instance

multiple back door and some clever AB testing for sphere fishing where we can initially see that okay the first back

door was removed the second back door was removed but the third one was not and it was successfully or it was

successful when it Beacon back home and then we later on went and U did some um recovery afterwards but the

breach had already happened but more fundamental reason is the following I mean if you rely on preventive measures

you as a Defender need to be right 100% of the time well the attacker needs to be right only once and like I mentioned

it's actually pretty easy because you get the initial feedback and you get it right away if you rely on reactive

detection the attacker needs to be right 100% of the time and you as the defender need to be right only once and you not

giving that initial feedback or immediate feedback and usually it's actually pretty good idea to learn a bit

more about the attacker than just the initial back door so I'm going to now make a deep

dive to machine learning because there is so much marketing happening in the market and the learning something it it

sometimes feels like it's the real cyber security Unicorn it's the kind of the one trick that will solve all the

problems so I wanted to make a bit of a deep dive just to kind give you understanding how it actually

works uh we've been using machine learning in various forms for over 10 years uh there's basically two different

machine learning ways one is supervised machine learning where you basically train the program on a predefined set of

training examples which then facilitates its ability to reach an accurate conclusion when given new data so think

about it as you have a set of data which is the training set then you have feature extraction so you extract the

things that you are interested in then you turn it through the machine learning algorithm and you either directly get

some form of anomaly detection results or you want to apply for instance clustering and grouping of the object

and then take a look at those further and then of course there is the unsupervised massive learning but I'm

not going to go into details with that thing uh one thing which is important to understand is the confidence score the

end result is not a binary yes or no and we need to set a decision making threshold to define whether something is

malicious or not so what this actually means is I'm going to show you an example uh this is one of the machine

learning algorithms that we use we call it principal component analysis so if you want to make a further analysis of

how it actually works you can do so but this is just a sample data set and what you can actually see in here are a few

clear Trends and if we put the decision threshold in the in the very center you can see that from the decision point to

the right everything gets detected as malicious but you can immediately see that there is one force positive there

but the more worrying thing is that the things that are are left on the on the left side which are detected as B9 and

there are quite many samples that we have actually missed and the range that we actually

want to analyze further in this case is the range from minus 0.4 to 0.3 so we want to look for a bit wider range so we

don't want simply want to rely on machine learning only and I will come back to this a bit later on so how do we

actually do it uh one topic that I want to touch and this is a kind of tip for you to take away from this presentation

is that the quality of the data is absolutely most important factor to applying machine learning and of course

you can say that there is even more important thing the availability of the data in the first

place so ml does not find all anomalies from your network it solely depends on the availability of the qu quality data

and the most common issue that I see is that many try to look for anomalies from log

data uh the issue with this is that the data is not exactly high quality and most importantly most of the critical

data is missing in the first place so what happens in the end is that in order to make some sense out of this the ml

algorithms that are actually applied to the very limited data sets that's giving you a poor detection coverage and I have

to say that I as if I would be you I would be really skeptical for any solution sold on top of log collection

analysis systems at least you want to ask what is the data that you process because from that you already

know what can it detect so as an example how do we actually utilize machine learning to

detect Advanced threed ACC and this is really the needle in a h stack analysis so we start by applying machine learning

because it's really an efficient way to raise enl is form Baseline but we don't trust the machine learning only and the

next step what we do is what we call Auto forensics functions and this might be for instance statistical Baseline

analytics so kind of heavy processing and the goal on here is to help the threat analysts to qualify the end

result as benign on malicious and then as a third step we actually have humans who know how the attackers think and

then can qualify the case as an incident and then most importantly start immediate containment

activities and if I expand this a bit so we use multiple different detection Technologies as a efficient way to raise

the anomalies so we look for known Badness but we also look for unknown Badness so it's kind of combination of

of each of both and then we have a lot of Auto forensics Technologies to help the qualified the results as a benign

let just just to give you one example so what do we actually mean so let's assume that we would get from the network

sensor a detection that there is a connection to non pad IP address so what the auto forensics does it collects the

information that okay it was this host in this host there was a process that did the connection and what were the

behaviors before that just to make sure that the threat analyst have the information to make that quick

classification and then immediately start the containment actions and then of course on top of that you need to

count in also the incident responders to lead the critical incident process to make sure that you have the process in

place and then the remediation efforts and aftermath and as a key take away it is

actually the time it takes from detection to response where the companies fail today and I will actually

come back to this a bit later on so as a tip when when making a decision with solution to use for

detection Focus especially on the quality of the detection and all the relevant in intelligence your threat

analyst will need in order to make the quick decision and start the immediate containment activities because the clock

is sticking like I said this time is absolutely critical and then let's do some dos and

don'ts the first don't is don't rely on preventive measures I know this is like me preaching to

acquire but still skilled attackers will get through your preventive measures it's not a matter of if it's a matter of

when like I said uh we actually do white hat hacking as well so we do lot of red team in penetration testing to our

customers and I have to say it's surprisingly easy to breach the preventive measures and on the other

hand we do quite a lot of real crime scene investigations so we actually this happening on the day-to-day basis so

it's not a matter of if it's a matter of when and it's not even that difficult to be

honest uh don't rely on single detection technology there really is no unicorns don't go to a vender and ask do you do

machine learning and if they say yes then you feel that ah I'm so relieved now we have all the problems solved

that's not going to happen uh best combination is to apply multiple detection technology is and especially

focusing on making the decision making easy for the threat analyst who are the guys who need to do the remediation

activities in the end and remember you need man and a machine to be able to detect Advanced threats and it's not

just about detection it's about the response part so always take that into account and actually measure the time it

takes from detection the response uh this is a long one don't rely on single point of detection it

only network uh most companies where we actually go we see that they have network based ideas there are few common

issues uh well you know that it's really easy to hide and remain undetected you might use traffic fragmentation

tunneling via non good protocols I mentioned using Gmail as a command and console etc etc etc so there are so many

different ways to hide the traffic uh one of the common issues as well is that most solutions actually

look at the edge traffic but they don't look at the inal network traffic for instance you can't see lateral movement

that's a big big issue and if you think about in the future I think most of the traffic eventually will be encrypted for

instance http2 on default uses crypto and then again even if you get a detection

it's or Orin originated from an endpoint which basically means that you immediately need to get visibility to

what actually happened in that endpoint so you're going to have to have that endpoint visibility in the end

anyway and as a kind of closing thought uh we were actually thinking that okay what are the most common

issues with the idea systems and how they have how they are run today and we kind of came into the conclusion that

the most fundamental issue is that we actually need never seen a well-maintained IDS

system uh then some do so what are the recommendations that we would give to you is start by building a good sensor

detection coverage so having good detection coverage to both endpoint and network and especially the ability to

cross reference between these two so you if you see a connection going to the just business IP address what happened

in the endpoint and vice versa uh Focus also on the retention of the data uh especially you want to keep

the data for a long period of time and you want to have detection capabilities for the old data good example is that if

someone else inside your vertical let's say banking gets targeted you want to look for signs that whether you have

targeted been targeted as well or if you actually have a bridge ongoing so you want to retain the data and it always

helps if you have to go back for any reasons to do any type of investigation so that you actually have the data and

it actually makes the machine learning uh better as well as well as the statistical

analytics and if you need to make a choice start from the end points I know many of you don't like agents that's

okay but you absolutely have to have good visibility the end point it it doesn't really

matter but if you cannot deploy agent start from Network as long as you start then that's okay and as a kind of last

thought look at Deception honey Nets EDC as a kind of immersing alternative I know many of us have been deploying

honeypots for like 15 years but there are some cool developments in here as well and I put some links to the

end uh do measure your detection and response capabilities by going against skilled attacker uh many companies have

asked from me that okay how do we actually know that if we are selecting our sales of vendor or manage security

service provider that are they any good so what is in the SLA that we need to look for and I'm like there there is

really no SLA that can give you the answers the only way that for you to know for sure is you is that you go

against a real Advanced adversary so do utilize skilled red teams and penetration testing

companies and do so that you don't even know about it and many times uh I get the comment that

why would I want to do this because it's kind of proving to my boss that I'm not doing my job properly but think about it

this is kind of uh a way for you to utilize to convince the budget holders that you actually have to do something

about because you know what the problem is and it's a lot worse that you actually don't know how good your

detection capabilities are or whether you have processes in place to properly contain when you go against skilled

adversary so it's better to know than not know believe me we've been in quite many companies who have taken the rout

of not knowing and then they've been hacked so that's not a pleasant place to be especially in the future because of

the gdpr and the last thing that I absolutely want to you to take away from this

webinar so the most important thing measure the time from detection to response now this is where the companies

fail today this is where it comes from when you go to the web and you see that okay tooks it looks like it takes like

plus 200 days for the companies to actually detect a brege and in many cases the eventual notification that

there was a bridge come from external sources and it does not really matter how good your detection Solutions are if

you don't have the skilled people available 24/7 to contain and remediate and as a kind of guiding

principle start by knowing your Baseline and this actually maps to the previous slide so figure out where you are today

when it comes to dection capabilities and then measure your current capability and then start

setting Improvement goals improve step by step or you might want to look for manage Solutions and the end goal should

be something which is less than 30 minutes and the reason why this is so important is that you need to figure out

what is the time that it takes for the attacker to gain access to the critical data or capabilities that you have which

are most commonly de calls if they will ever Target your company and how much time will it take for the attack to gain

access to there and then set that time and as a further reading I put some

links which are beneficial and now it's time for the Q&A all right so it appears there's no

questions which is of course excellent uh few reminders so the recording will

be available so if you joined during the presentation and you want to reverse to some other topics so you will get a

notification once the recording is available and just a reminder that next uh webinar in this series will be about

the response coming shortly after this one so we are hoping to see you there so thanks for joining and we are closing

and wrapping up the session