Stories from the SOC – vol. 2016

excellent hello everybody good to be here for the fifth time so for the last five years I did some presentations myself but now it's a monumental change in in our style of delivery I and I have brought two of my team members here to to talk about what we find in the stock in the active threat analytics in in Krakow so together with me we have Oscar who is our security analyst in the Krakow sock and we have taka like a hero who is our security investigator in the Tokyo sock and we have one hour so we prepared something I think interesting for you we we come from the world of detection so we our main main goal is to find threats

as they arrive on the network on the endpoint on the infrastructure devices and more and more it's a very hard task to accomplish and you know we are we are living in quite maybe it's not the right word but well somebody has to make a living and our customers are huge companies think I mean our smallest customer is larger than the biggest enterprise in Poland we don't have any customers here so so it's hard at this scale to detect threats in a meaningful way and discover stuff and and produce some value every day so so so we'll show you what we are finding and of course we will show you what we can show you and

it will be several like 10 10 cases some of them are very very popular some maybe less from the deterministic analysis and from the statistic traffic baselining and anomaly detection work world so this is this is the goal of this presentation and to remind you I did some presentations in the previous year three years 2012 I did ipv6 security everything is available on SlideShare we did about the network telemetry and we actually used that a lot flow analytics more modern or important nobody believes that you know lock telemetry is enough in today's world we move we move into behavior analysis we move into statistical analysis a lot of the traffic is encrypted and we cannot do proper

decryption so it's a very very important topic then I was talking about networking security treasures what is being developed two years ago right now for the detection part is you know Cisco on snort and we sponsor this project is it's heavily heavily you know supported by us right now we have snort three total open app ID many many many extensions to the original North engine are being developed so it's quite quite interesting topic and last year we did an introduction to to into the ATA so we announced that we are going to to build a security operations center in Poland and for the last year we actually did it so so if you look at what happened this

is this is last year so this is what how it looked like one when I when I came on board I was the employee number one in Krakow and basically my my first task was to build the facility so we did it and this is how it looks like today we are based in our enterprise park office and of course if you like to visit me please please please please please let us know and and this is where we work from from from Poland the second hobbies in Tokyo and taka is representing the Tokyo sock and we have the our main hub the mothership in RTP in North Carolina in this famous technology hub and

a little bit about technology well detection is hard I think we are a kind of kind of I don't want to say losing battle between people who do offensive stuff and the defensive if you need to do proper detection at the massive scale and do it in a reasonable timeframe and identify the threat mitigated and some IR functions there it's a hard task to accomplish and of course the resources you need to do a proper detection to store the data to store the flow telemetry to do enrichment to mangle the data to run analytics on top of that and to final record the full packet capture right for for highest level of investigation to find things on the wire it's

extremely expensive because we are moving into the petabyte world and how do you run real-time queries how do you build such an engine so you have a data center to protect and you need to build a second one to defend and detect not everybody can afford it this is the problem because you will not spend 50 million on your DC and another 50 on on on the detection tabs servers analytics and stuff to do it because you need help to have people write of course we we do more and more automated hunts we do more of a machine learning either either either zero knowledge or some hypothesis based machine learning we've acquired actually a company called

cognitive maybe you know the guys are sitting in Czech Republic in Prague there are those are 5050 people who have PhD in statistics and they do nothing more than you know build new models to analyze let's say distribution of DNS requests and analyzing what kinds of new malware use new kinds of queries so this is the problem we are facing and it is not an easy problem this is how we do it we we build a huge technology stack it's a full rack of rack of gear and we ship it to our customer we connect the tabs we acquire all kinds of telemetry we generate our own telemetry we acquire full packet capture and we run our tool

set on that and we connect via a permanent VPN to the gear and Doe and to all the tooling which is pretty a pretty hard thing and it's not not let's say not not cheap basically it's quite quite a feat to accomplish so this is what we do and now I will pass on doors car to give you some insight into what we do on the detection side model of a deterministic detection side and taka will follow up with with with the with the more anomaly detection side of the house Oscar please you have to keep your mind closed thank you thank you gavel hello everybody my name is Oscar I work for the Cisco for half of a year now and

the first security analyst here so so I'm gonna talk about something we detect if we now suck so some few recent cases that we detect and escalate to our customers the first one is an exploit kit I bet most of you know what an experienced but to remind you it's a kind of [Music] it's a kind of a injection injected code in the web site on which from from which the redirection can connect or and then the exploit kit can be done mounted which detect and try to exploit the vulnerability of our victims of the victims install software or the web browser for example so doing that it can download some malicious malware like ransomware it's very popular this time

so how do you how do we do it and in our sock basically we've got 8080 service of the active threat analytics managed security service ata is a kit as we can see like this on the customer premise is a kit that has a lot of different security monitoring tools and gather combines a lot of different meters to detect threats that occur in the customer network basically we have a tap so the sensor installed on the customer network which gather all the telemetry from the customer network and send it to the to the D cap so we can check it later if there will be such need so basically for this case for neutrino exploit we received

i'm soon's fire event about possible redirection attempt as you can see from the external IP on our own customer internal attended something the host name was dealt www dot marquise something so that was the page on which victim enter and possible redirection occurred checking deeper ata analyst investigate what was going on there so the full packet capture is the best to show us what was going on there and we can see that and on this side www Marty something after right after entering this site was opened another site so if any something from the 85 delt IP address that shows us that there was more than only that smarty site next site is a say home say Hulk ACM site

from the 92 dealt IP address looking deeper we can see that the file was actually downloaded from the sa Hulk Hulk ACM and it was a flash file so possibly it was a malicious file at this point and Nana least investigated some part of the case and escalated it to today our investigators so he can check whatever the file was malicious or it was or it was not the investigation should check it download they did look at the hash of the file as we can see for the virus total it shows us that it's some neutrino possible detonating it in a safe environment for example in a threat grid it's our own Cisco sandbox the solution for detecting the

callbacks from the malware that is detected he checks that there was some call callbacks for that specific malware and try to find them on the customer network he did not find anything so possibly the malware hasn't been downloaded but the customer needs to be notified about this so he created in the customer portal an alert about a ticket about this action as we can see we are using a varies so vocabulary for is a vocabulary for even recording an incident sharing so it's a set of metrics used for incident security incidents analyzes two to be in a common more common language and more widespread so as we can see the action was a malware vector was web drive-by it

was a downloader it was an external one and as we can see that Marty Dell site was actually a restaurant site so the victim probably was checking some restaurants the restaurant site was injected with a redirection at him probably with iframe so the redirection occurred the file was downloaded but the malware probably something block it and customer notified us that checks the system remediated because the customer are doing that remediation part of the incident by their own of course we've got a different a different team especially helping with the incidences security incidents really response team sorry and as we can see that case was closed as resolved the confidential data has not been impacted so

the next one is our light handled malware Leighton bot malware is a kind of a back door which can spy on the castle on the victims you can also download the files one of the security companies says that from 2013 it's been in the internet but hasn't been detected and in 2015 it's began infecting machines and spread through the world doing some checking in spying on on its victims mmm for this one we received a TA analyst received a since fire event that says that there are many connected to the trojan lighting bolt checking deeper we can see that it's a variant out boot connection so possibly something was trying to connect to the common server and as we

can see looking at the ATA and all this looks on the full packet capture well we check that their hello packets were sent and a lot of them really it was a very noisy call-outs to to some external destinations which were confined confirmed by the investigator and customer was notified about this and advised but what what we should do about this mmm that picture is a alert from the customer portal about this case the customer checks the infected machine blogged the external destination IPS and because of that it was resolved another case is very popular SQL injection Oh ASP says is the wrong one it's I think in the 2013 in top 10 it's the first

injections are the first of this list so basically we received in this case again through spire event which shows us that possible SQL injection attempted looking at the IPS and the host name we can see that for the customer for the customer site that occurred and there are some more information about the URI that's happened mmm I noticed check the full package capture of course to see what was really happening there and revealed that for this particular case there was a 200 ok HTTP status what means that it could possible be successful and some data routes leaked due to this he escalated this case to an investigator to check it out more deeper deeply of course

customer has been notified about this case or two because a possible confidential information could be stolen due to that SQL injection attack as we can see we've got also very section here about hacking SQL web application yeah what customer Jun has done he blogged the militias IP apply some restriction to the to the web server in that particular site which now does not allowed to to try and inject any kind of statements for for the SQL also he checked if the information was stolen for that case it was it hasn't been stolen and no further size has been observed so any further attacks SQL injection was not was not successful possibly 404 HTTP status occur

the next case is a brute-force attack so very popular method to to try to enter a valid credentials Sourcefire event was for the SQL injection yeah received and checking it we can see that there was the alert in the sauce fire then looking another sleuth into the full packet capture showing that that particular SQL injection was not successful because it was 404 nothing happened there but checking deeper in the pickup of that particular house analyst found that there was many attempts and and it was a successful attempt to get to the administrator index.php for the for the back-end page of that side looking what was going on there we can see that someone was trying to

brute force the credentials so we can see username admin admin password Michael and it was a lot of this analyst and this the case to the investigator which confirmed that such activities Beautiful's customer has been notified about this case and contacted us that previous case was also very similar to this one but it concerns totally different a different side we have some two sides here for the customer in different source IPS concerning the brute force what the customer has do he has blocked the militias IPs and restricted access to the to that administrator back-end page so when we see an attempt to enter it it was not allowed because there was the restriction that I a

lucky ransom a popular malware this year and ransomware we received actually our analysts are focusing on searching and trying to find and security incidents on various premises so not only concerning onsens fire events of deterministic and signature-based one but also doing a place so basically and making and making to put it simple scripted some scripted search searches for particular and maybe interesting cases and activities on the customer network so for this for that particular case an email play was said was conducted and search through attachments on the customer the customer site concerning the possible malicious months and the fishing that could occur as we can see one of them was found and it was actually a campaign

to fishing campaign to try to say to customer to open the attachment and probably it will be it is very malicious and it will infect their machine of the customer so as we can see in the subject of this mail was a confirmation of the loan in an attachment and in the content the bank says that it's a confirmation letter that we that he should review it just opening the the attachment as we can see the attachment has a randomized and named so it's possible that it was not a human mate because now there are algorithms and name the attachments to avoid detection but by for example some very simple antivirus protection analyst checks the first the hash of the

file looking if he had been seen previously and it had occurred that it has been because virustotal for example says that it's some kind of downloader possible blocking so a ransom er in this case analysts investigated in at this point and to check it more deeply so the call-outs need to be revealed he escalated it to investigator investigator detonated in a safe sandbox environment for example at red grid so our own sandbox solution and the collapse was were revealed so we see that some HTTP traffic was trying being made to some ninety month or something besides one 5/8 in 185 investigated checks the two premises and the network the full pickup of the customer looking for that

specific IPS if we if we if it will be there so that would mean that actually the infection occurred of the malware was opened the attachment was opened it contacted the c2 server and possible the infection occurred but in this case there was no connection to that IPs and basically the case at this point was closed but the call-outs that were made mmm has been recorded for future purposes for example a hand on which may be taka will tell you more about nature yeah and that's does everything from me now I will give my microphone to that castle tech a please thank girls car [Applause] however I am a taco from Tokyo sock as government we

ATS services have three socks over the all over the world country and how Krakow and RTP us and also in total our song is actually not very [Music] good just like that where with a dragon but some people are working working home in total shock and doing security monitoring and analysis for many japanese customer but also other other countries customers and today i would like to introduced some cases which is about looking for a memory because Oscar cases are mainly signature-based detection and unload were also a deterministic deterministic direction it is actually very good to use unreliable because we are already known distress distress but yeah but the negative negative point of a cinch a base reaction is

that it can detect only known stress it is of course so eta is trying to also catch unknown stress which is not covered with any switches so it is conducting several detection mechanism to look for anomalies which may or may not ability bridges actually but maybe there is if there would be any other is found in customer environment probably it is very good to know for customers in some cases and foreign cases are ones which were actually not security breaches but they would hopefully highlight some of our approaches to detect unknown threats so I would like to show the first case which is traffic based monitoring traffic very motoring with the same picture we in just we are taking customer

traffic into the the our kid and there is a entry which is called metadata extraction that angie is as named extracting right URI of HTTP or or a natural flow information from the true right that so of course P copy has the most detailed information but for some purposes metadata would be more better more better utilized like automatically automatically searching something or calculate in something in this case metadata extraction engine generates for all information and using using natural making us to make making us to use these raw informations and there is a advanced analytics advanced analytics engine it is calculating some calculating some parameters on this extract it for all information and it are at it Annamarie on a particular

sort of roll like that I don't guess just just seeing showing this information wouldn't wouldn't make any sense but I would I will explain the meaning rate a little bit but when we know this are at oh there is a very high number of anomaly index so we we would check this particular service role and wreaking this there was there look like look like it so at the end of July to the are you focused there is a apparent changes change in trend there is a great increase increasing in traffic traffic by its information and this is actually a traffic thrown at deprivation database server to a particular server and a particular protocol so it is actual actual database

communication with a particular server and it suddenly there increased very much it's interesting and we conducted several investigations including reeking of syslog messages ingested from customer environment like that but honestly we couldn't find any suspicious information but we notified this event to customer so that our customer can confirm if it is actually unexpected event or not and the customer confirmed it was benign and this traffic change was due due to a special patient to transfer huge data which was intentionally done by database administrators but there is a softy customers octene who we are facing - they were not area opposite so because of this notification the smoke team could know about the net network a

little bit better

some details I'll drag the explained so that customer environment is a concern relatively static so there is a lot of kind of a lot of kind of environments or so if it is a office network maybe this kind of although there is a traffic spike maybe it is not our program but at that and that customer is the web customers environment is should be a pretty steal and as you saw before the increase of end of dry there is the that communication was relatively low keeping and and one more thing is the zero several servers which is called as critical assets has been defined which should be cautiously moidered and I'm not thinking how we are applying

is really here so it uterus is a very simple statistical method actually maybe which can be found in in very early pages of the textbooks which calculates and updates me and various value of each monitored rules so per server or protocol for communication prepare and for for each of winter rolls Alomari index is calculated based on an expectation that the very various distributed on standard distribution or Gaussian distribution which is actually never but sometimes it may be useful in this model that reported anomaly index which was 149 indicated indicates that the probability of that event is Bureau tens or power minus 16 it's almost impossible

yep I I would like to show about another case about DNS following first I would like to tell the result this was actually happened but this was a customer's internal pain testing because some customers do internal pentacene without not trying to to us because one purpose is of course to see zero security environment in prospective loss of security but the other the another one is actually to test us if we we can detect such activities this case was this one the estimating ok so the fro is fro is similar to the formula so there there is a trap there is traffic in Jesse to our kid metalita exert action ing is extracting metadata for DNS queries to

and responses and advanced analytics changing is wreaking for these DNS queries and raised on a rod like that it is smaller and probably hard to see but this is the query string and the next next row next row so pretty wrong within string and which apparently looks a blower and this type this kind of a rod raised a lot so at this point we already know there is there is something anomalous is happening actually it's a query were operating consistent consistent with the in Estonia activities there is some some tools to New Jersey right DNS cut and so it should be reported to customer but usually we see the traffic many internet traffic so the query er is actually

for almost cases as a query is a cache server a yes yes server is transferring data to the Internet or on behalf of the earth chakra and this is a major program when you want to do correction at the crayon so there is more investigation has been done which is wreaking of Cecil messages so at that customer customer is sending also DNS servers rocks which is for such made queries so in that rock we can see the current IP address and the curry itself and the type query type or and also response so a client IP address has been determined so this exact this exact client is performing this DNS nonlinear activity and this was reported to customers as aid or

instant report

honestly our customer had notified to ata that they were they were going to perform some painters penetration testing some day so ata queried so we queried if it was a it was a test or not if it is not the test or it is very severe it's a good incense and the customer confirmed now this was actually actual internal penetration test performed by the same so we we fit we felt our very comfort her okay customer tested us I

tried to show some background our DNS following some reports or broke broke broke states that the installing is considered one of the methods which we need to most cautious because it is DNS is permitted everywhere and the toning is very easy to you test due to the purpose but due to the purpose of the method to bring data on DNS queries and the response is the occasional directly produce much longer parameters than usual this is a some information from our tourist rock you can see this information from on this URL but here is a distribution of subdomain X so like 50 or authority or 40 or 50 50 subdomains are all already on over us

and then s tolerant queries may look like this it is it is very different from user queries so based on that we taking home we took our as well the length of DNS queries and it detected the Sony touring activities but there would be several considerations because several services generates a very wrong name actually including our the base services so in case of waking up domain reputation this produces a very long DNS query which is actually take text query and also you may know that Amazon AWS the host name is ordinary very long so this these kind of names should be should have been already eliminated before behold the conducting these analytics and also internal names in customer environment

this is also sometimes very wrong so when implementing the this kind of methods looking looking for a no worries it is very important I would say it is very important to maintain work environment specific training to reduce false positives if we we wouldn't do any any training like this I mean maybe that that other if exchanging we would report many of our center base activities which are which we don't want to investigate it because we know that we our services

this is all about my path so I'd like to pass on possible to cover again Thank You attacker [Applause] so ladies and gentlemen you saw some of the things that we detect in our stock detection is Hart exploitation is easier this is the main message and the main topic and there is a huge disproportion in in what we what you have to do to to to exploit some vulnerability or to get in to the system and and between what you have to do to detect and we are on the detection side so so I hope it was useful for you I hope it you know was valuable of course it's a never ending story we have new threats and we need to

adapt and and we we apply new innovative approaches to do it so just to just to summarize in order to build a shock because many many people come to us and say ok I will be less shocked tomorrow no you will not because to build a shock you need to have if it's a real shock you need to have 24 by 7 if not it's just a security department and you go you go on the weekend to to home and enjoy the weekend right but if it's a shock it's an Operations environment you have to do it 24 by 7 so you need at least 15 people 15 analysts and then you have to have investigators

you have to have people who know how to work and how to build them and how to tune them and how to build new custom tools and how to maybe buy some commercial product and introduce it into your detection environment and modify and and do some statistical analysis and this is totally totally different kind of science it's data science so this is not everybody can afford aside a data scientist it's actually quite a nice story you know an engineer in Silicon Valley earns I don't know 100 thousand dollars plus and the data scientists earn three hundred thousand so how many of them can you hire that's the question all right so this is the analytics part so if you have three

it's 1 million per year dollars then you have to have security intelligence you have to have feet threat intelligence security intelligence is data threat intelligence is contextualized data that is relevant for my environment based on what resources I have what workloads I have what applications and what kind of business I am in this is this is this sense of relevancy this is where the threat intelligence comes into play and then you have to have a technology and a lot of that and this is how we how we how we do it and I hope those those those examples were quite interesting so just just just just to summarize we are growing our glorious ata stock and we

are hiring and we are hiring in all the all the categories you can you can imagine from the more entry-level jobs so this is a kind of entry-level job intellectual analyst technical writer if you are starting a cybersecurity career and you know Cisco is producing quite a lot of devices right there are millions of Cisco routers switches firewalls IPS is IP phones and they have some vulnerabilities because humans write the code and it is prone to error right so we have the vulnerabilities in our own products and in third-party products and of course we have millions of companies using those and we have to very precisely transparently ethically produce information if we find the vulnerability and this is we call it

intelligent or vulnerability bulletins if you go to cisco.com slash security you have long run venerability listen you know Apache in you know open source software in Cisco soft learning other Microsoft software and we produce it constantly to give exact information what is it what is the impact of course the CVA is the CDSs approach and what you can do what you have to do what are the interim releases or patches bug fixes or version of software that fix this problem right so writing it for as a beginning for the sub your security career I think it's great because after half a year of writing this stuff and researching this information in many sources you know exactly is going on on

the market what are the current vulnerabilities this week it's a very interesting and and and the valuable knowledge so this is this is this is kind of kind of entry then we have a bring aman approach where it's a job job of threat analyst where you are using various detection tools and techniques we are showing you the source fire but we are not religious about the tools that we use we use a lot of free software we use commercial tools we use of course Cisco source fire detection technology and Oscar focused on that a bit but if we think that there are there is some other commercial product on the market that does the job

we just buy it that's that's the end of the story the decision is very simple you you know I I recently met a mathematic guy who who actually is in Vernon venture capital business and he is all always sitting in the Silicon Valley and he told me just it was just you know quite interesting that he just sold Open DNS to Cisco for half a billion dollars and of course he said you know there are 600 cybersecurity companies startups you will not ever be able to event everything yourself this is why such events are important like besides sharing the knowledge and of course there are a lot of genius people that are just developing the code or

hardware or both or some ideas and and of course we try to use it as much as we can for our own advantage and to protect the companies who work we work with right and and there is the the info security investigator role where were you know all of that and add on top some data science knowledge working on big datasets writing new custom tools and adjusting methodologies to a specific environment this is this is investigator job is normally normally you have spent several years in in this in in in the detection environment in the sock and you are able you have your own ideas how to enhance our tool set and and techniques and we

have other roles we have engineers security engineers that the newest CCIE security in Poland Lucas Adamski has passed his examined results last week on Monday right so so we have we have also engineering engineering team and talent because apart from all of that that we mentioned we are managing all the security devices I mean all the recent our last customer from from last week he told us hey guys I don't have any Cisco device but I give I will give you my fire I boxes because I know that you will do it right Cisco thank you please accept it and we said okay we do it right so we are not religious about technology we do all the major all the

major vendors as well and there is also a role of info Security Investigations manager it's a role that is custom or customer facing it's a it means that you are actually sustaining the relationship for for say three years that we have over more for in in the contract and and you did all of these stuff for the last 10 years and you have an opinion on on that and you are able to you know to communicate effectively and and make and generate and generate relevant information and answer questions in the real time because of course we detect stuff but also the companies we work with are asking us questions hi guys we we saw that in ours

plank or we saw that in our very special detection system that you don't have access to Cisco and can you tell us maybe did you see something and we say ok we'll check it for you and we will do a custom investigation based on what what what we get right so it's a mutual communication it's not it's not plug plug and play approach so so so that's it thank you so very much we really appreciate that we could come here and share this video we'll be here for the next 30 minutes with taka and I need to drive him to the airport he's flying I believe to China for some penetration testing training and Oscar

will be here till Tildy until 6:00 p.m. so so thank you so very much enjoy the rest of the day thank you [Applause]