Cyber Situational Awareness

November 2013
Written by: Robert Koblovsky

Peter Chapman

Executive Summary Traditional defense tools are failing to protect enterprises from advanced targeted attacks and the broader problem of advanced malware. In 2013, enterprises will spend $13 billion on firewalls, intrusion prevention systems (IPSs), end point protection platforms and secure Web gateways. Yet advanced targeted attacks (ATA) and 1 advanced malware continue to plague enterprises. The degree to which firewalls and anti-virus lack effectiveness is debatable. What is not is that the evolving and ever changing threat landscape is leaving many organizations, both in the public and private sectors, at risk. We must implement new ways of detecting and protecting against network based attacks. Your network is under attack and you have two options. You can play ostrich and hide your head in the sand or take a pro-active approach to protect your organization. The former approach will result in compliance issues, which will reflect negatively on corporate governance and frankly puts your brand at risk, not to mention potentially exposing intellectual property. In this white paper we provide an overview of cyber situational awarene ss and introduce Phirelights newest offering rapidPHIRE. Introduction Corporate perception of the state of technology and the impact that has often lags behind reality; Case in point Cyber Security. The general perception in business today, when it comes to understanding the cyber landscape, is often what we have is good enough, however that is defined within your organization. Unfortunately it is often based on what we experienced in the past rather than a reflection of what is happening today. The resulting gap puts you and your organization at risk. Although it is an often over used clich, you dont know what you dont know and what you dont know can hurt you. Decisions are often based on incomplete, inaccurate, out dated or stale information. The computing security model of the past decade, based on firewalls, anti-viral services, intrusion detection controls, system event monitoring, VPNs, etc., is failing to detect and block the most advanced malware. 2 In March of 2012 Robert Mueller Director of the FBI stated that: There are only two types of companies, those that have been hacked and those that will be. Because cyber threats are both a relatively new and constantly evolving source of risk, many organizations may not be as effective at managing cyber threat risk as they are at managing risk in other areas.Deloitte Risk Intelligence Series

1 2

Five Styles of Advanced Threat Defense, Orans & DHoinne, Aug 2013, Gartner Cyber Securities Failures: Value of the Human Firewall, Jon Stout, Aug 2013, Infosec Island

More recently, in May of this year (2013), at a luncheon sponsored by Phirelight, Howard Schmidt the former cyber security Czar for both Presidents Bush and Obama noted that; It is not when or if your IT system will get breached. That ship has sailed. Certainly the statistics we see support that. On average, over 31% of PCs worldwide are infected at any given time. The large majority of those infections are due to the mutli-stage deployment of Trojans. There are 73,000 new strains of malware created every day. Attackers have already foiled many of the defenses designed to block malware and protect end users: Polymorphism has made circumventing antivirus software trivial, infecting legitimate Web servers with malicious JavaScript stymies Internet block lists based on reputation, and domain generation algorithms are designed to foil 3 take down efforts. Computer viruses are similar to real world viruses. They change and morph overtime in an attempt to circumvent detection.

Today, anyone can become a hacker with pre configured attacks that can be bought and supported over the web. All you need is a simple credit card. Software as a Service has penetrated the dark side. Figure 1: Reverse shell payload creation using Metasploit

Emerging Cyber Threats Report, Georgia Tech Security Summit 2012,

Target vehicles for cyber attacks are new leading edge technologies that are gaining traction in the marketplace. The proliferation of mobile devices has resulted in a new set of attack vectors through which hackers can penetrate the organization. Those same mobile devices generate massive amounts of unstructured data fueling the big data phenomenon. Requirements for storing massive amounts of both structured and unstructured data compared to 15 years ago has driven storage to the cloud. Vendors desire to sell once and collect often, promulgating software as a service has also contributed to expansion of the cloud.

Welcome to the Post-PC Era, the era dominated by truly portable devices with embedded GPS, near-field communication capabilities, microphones and HD video cameras and processing power equal to or greater than traditional computers. Our dependency on cyber space grows by the day, our access points and networked devices are legion, and our cyber security systems are losing their foothold. Passwords, firewalls, security keys, encrypted memory sticks: traditional security measures no longer fully address the many sophisticated new challenges we face.Cyber Security Manifesto, International Executive Council The need and desire to communicate anywhere, anytime and anyhow has forced business and government to open up access to their networks for their users, customers, supply chains and critical infrastructure. As a result, we are vulnerable. "Automation enables them (hackers) to continually carpet-bomb business and government websites with malware. A single break-in could shrink your client's bottom line by tens of millions of dollars. So use every hackerrelated headline and incident to remind executives that cyber attack prevention and overall digital security must always be top priorities."4 According to an article in Fraud Magazine dated October 2012, a cyber attack has five phases: Phase 1: Reconnaissance. Most often, hackers do this by executing sophisticated Google queries using advanced search capabilities freely available on the search engine's home page. The objective is to indentify servers connected to the internet. Phase 2: Probing. Unlike the first phase, in which the hacker communicated with Google, here he communicates directly with servers. The hacker's objective in this phase is to determine whether those servers are vulnerable. "The hacker will do this by attempting to confuse each server's login software and break into its system by disrupting the user identification process," Butterworth said. "Although the hacker's success rate is low, he stills stands to profit greatly each time he gains unauthorized access."

Online battlefield: Cyber attack vectors, Fraud Magazine, October 2012

Phase 3: Attack. Usually, this results in nothing more than the hacker getting far enough into a company's system to demonstrate that the fraudulent access can be repeated at a later time. And that paves the way for the hacker to come back after work hours when employees have gone home, and it's unlikely that a system administrator is monitoring activity on the server." Phase 4: Payload Delivery. This is the stage when a hacker would install malware on the server," But if all he wants to do is break in, copy information and never come back, no installation would be necessary." Phase 5: Exploitation. Successful completion of this step is the hacker's ultimate goal: a theft or other fraud on a date some time well after the original break-in. By this point, the server activity log that recorded the hacker's initial break-in might well have been overwritten. The distance between the first entry and this one frustrates investigators and makes it harder to identify the hacker, who gets away with data and leaves little or no trail. The responsibility for IT Security and all that that encompasses is no longer just the purview of the IT Department alone. It is quickly becoming the responsibility of every individual within the organization from C level down. A perceptual shift is occurring where cyber security is very much becoming a discussion of governance and risk tolerance, changing the conversation from one that has been focused on technology, to one that is focused more on process. The reality in todays environment is that you cannot fully secure your information assets while still be ing able to meet the needs of your employees, customers and partners. Sharing is the new normal. Information Security strategies need to shift. According to Gartner Group, there needs to be an emphasis on rapid detection and response. Timely identification and remediation are key to any successful cyber protection strategy. Today that is not the case as is evident from the statistics in Figure 2 below Figure 2: Attack Resolution Time Frames

Average Days to Resolve Attack

Malicious insiders Malicious code Web based attacks Denial of Service Phishing & social Stolen devices Malware Botnets Viruses, Worms & 0
Source: Poneman Institute

Average Days to Resolve Attack

20

40

60

We can no longer afford to wait. We need to be able to wrap our heads around the large amounts of data captured. We must be more proactive. A fifty day window to address and resolve malicious code is not acceptable. We need to identify, in near real time, attacks on our networks so we can mitigate the risks not only for our own Departments and businesses but also for our partners and constituents. The Situational Awareness Reference Model Although this papers focus is specifically on Cyber Situational Awareness, the concept and framework apply to other areas, not just Cyber. There are many definitions of situational awareness. The accepted definitions are based on the work of Dr. Mica Endsley. Dr. Endsley has authored over 200 scientific articles and reports on situation awareness and decision-making and automation. Endsley defined three levels for the model, perception (what are the current facts), comprehension (what is actually going on) and projection (what is most likely to happen if..). B McGuinness and JL Foy 5 extended the model adding a fourth level, resolution (what exactly shall I do). Perception is the starting point for situational awareness. Perception provides information about the status, attributes and dynamics of relevant elements within the environment.6 Comprehension includes the integration of multiple pieces of information and a determination of their relevance.7 Projection refers to the ability to make predictions based on the knowledge and insight gained, a projection of the elements of the situation into the near future.8 Resolution is the path taken to achieve the desired state change to the current situation.9 A collaborative research study entitled Cyber SA: Situational Awareness for Cyber Defense states that: Situation Awareness for Cyber Defense consists of at least seven aspects: 1. Be aware of the current situation. 2. Be aware of the impact of the attack. 3. Be aware of how situations evolve. 4. Be aware of adversary behaviour. 5. Be aware of why and how the current situation is caused. 6. Be aware of the quality of the collected situation awareness items. 7. Assess plausible futures of the current situation.

5 6

A Subjective Measure of SA, , B McGuinness & J.L. Foy, SA Conference, Georgia, USA, Oct. 2010 Overview of Cyber Situational Awareness, George P. Tada & John S. Salerno, 2010 7 Overview of Cyber Situational Awareness, George P. Tada & John S. Salerno, 2010 8 Overview of Cyber Situational Awareness, George P. Tada & John S. Salerno, 2010 9 Overview of Cyber Situational Awareness, George P. Tada & John S. Salerno, 2010

"we need real-time situational awareness in our networks to see where something bad is happening and to take action there at that time." Gen. Keith Alexander, Director of the National Security
Agency, 2010

Visualization plays a key role in helping us grasp and comprehend the information presented. When data is presented, a user tends to be: 1) Overwhelmed by volume and lack of context; 2) has to rely on individual expertise for understanding and, 3) has to mentally process (fuse, asses and infer) the data. 10 A picture is worth a thousand words. We are able to process significantly more information if it is presented visually than textually. In addition, patterns, links and relationships are more easily perceived when the information is presented in a visual format. This is especially true if we are trying to understand and gain insight from data; when we are trying to find those relationships and patterns among thousands or even millions of variables to determine their relative importance. Specific to network cyber attacks other factors come into play. How well does the system detect the attacks? How long does it take to identify an attack and whats the elapsed time between detection and action/resolution? The tactical level of cyber situational awareness (where we are today) must also address operational levels. For example does the CSO want to know how many viruses were detected or what the risk may be to the business given defined parameters? Figure 3: Cyber Situational Awareness Evolution

Creating Cyber Situation Awareness: source Mitre.org

10

Overview of Cyber Situational Awareness, George P. Tada & John S. Salerno, 2010

Introducing rapidPHIRE from Phirelight

No one will argue the point that traditional protection (AV, firewalls, IDS) are not working. ..in many ways we are seeing the industry revert from a threat prevention strategy to a threat detection strategy when dealing with modern malware and advanced persistent threats (APTs). 11 New methods are required to keep ahead of advanced cyber threats. To be truly effective, cyber threat intelligence must be fused with real time operational systems. We need to be able to see the threats early. Signature and rule based intrusion detection isnt enough. Behaviour tracking is an essential requirement to successfully identify hackers. rapidPHIRE is a complete, networked based, situational awareness solution, merged with cyber threat intelligence. It is an advanced cyber warning eco system. The CyRIN (Cyber Risk Intelligence Network) service provides all rapidPHIRE systems with real time CERT-generated, cyber threat intelligence that you cant get anywhere else. rapidPHIRE compliments your existing defense in depth security approach to provide cyber threat intelligence and situational awareness that identifies undiscovered malicious activity in your networks and on your end points. rapidPHIRE provides security professionals and decision makers with relevant, actionable information specific to network threats, as they happen, as well as the ability to view and analyze historical data. Deployed inside an organizations data networks, rapidPHIRE passively inspects network traffic, searching for indicators of compromise (IOCs) that have crossed the network perimeter, bypassing traditional defences. rapidPHIRE performs its IOC inspection function both in real-time and in a historical sense, looking back in time to the extent of its stored records (e.g. 90 days back).

11

Modern Malware and the Balance Between IDS and IPS, Security Week, September 2012

rapidPHIRE works across all phases of attackers processes providing the following business benefits: Improved efficiency of network security and computer emergency response teams Reduces Executive level culpability by providing insight into data loss or malicious insider activities. Cost reduction through reduced network utilization by taking action and reducing or eliminating high risk security traffic.

rapidPHIRE delivers immediate cyber incident response intelligence to network operators if and when positive matches of IOCs have been located within their network. Each rapidPHIRE instance will update its IOC registry (using both CERT generated and commercial threat intelligence) in real time as new cyber threats are discovered. These instances will monitor their respective networks for occurrences of IOCs, scan historical data for past occurrences, and then report to the network owners when IOC hits occur. Earlier in this white paper we defined seven aspect of the Cyber Situational Awareness Model. Below we have mapped rapidPHIREs capabilities against the Cyber Situational Awareness Model. 1. Be aware of the current situation Real time identification and alerting for IOCs Reveals hidden or obscured malware communications paths Provides continuous cyber threat tracking intelligence feed Be aware of the impact of an attack Weighted IOC scoring Identifies undiscovered malicious activity in your network and on your end points Be aware of how situations evolve The ability to view and analyze historical data Watching user behaviour that may be a pre-infection or post-infection indicator

2.

3.

4.

Be Aware of adversary behaviour Identify source of attack Identify suspicious communication paths entering and leaving the network. Tunnelling, odd domains, foreign server destination, etc Be aware of why and how the current situation is caused Intentional or unintentional compromised user activity Link malicious events (IOCs) to user behaviours, demonstrating root cause Be aware of the quality of the collected situation awareness items rapidPHIRE will update IOC registry using both CERT generated open source and commercial threat intelligence. The focus of the solution is to reduce cyber threat noise and false positives, ultimately delivering the highest caliber of Incident Response Intelligence Assess plausible futures of the current situation Pinpoints gaps in cyber security posture Eliminates incident response time

5.

6.

7.

rapidPHIRE is available in four configurations. The rapidPHIRE ecosystem is made up of the following components. Alert x x x x x x Alert+ x x x x x x x Aware x x x x x x x x x x x Aware Global x x x x x x x x x x x x

CyRIN Powered Real-time CERT Advisories Email Notification Historical Inspection Weighted IOC Threat Scoring File Summary Reporting Endpoint Compromise Detection SecViz Graphical Forensics Application Awareness Reporting DNS Inspection Second Stage File Analytics Multi-WAN Global Dashboard

For additional Information on rapidPHIRE contact Phirelight by emailing sales@phirelight.com or call (877) 6728070 or (613) 276-8443

10