Advanced threats: Damballa and HP ArcSight Help Salesforce.

com stay one step ahead

Stephen Newman - VP Product Management, Damballa Bart Westerink - Director of Information Security, Salesforce.com

Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.

Advanced Threats: Damballa & HP ArcSight Help Salesforce.com Stay One Step Ahead

Stephen Newman - VP Product Management, Damballa Bart Westerink - Director of Information Security, Salesforce.com

The Business Behind Infections

Pay Per Installer Cyber Brokers Cyber Criminals
WWW USB BYOD EMAIL Vector

Dropper

Updater

Downloader

Repository

C&C Portals Downloader

Repository

C&C Portals Downloader

C&C Proxies

C&C Proxies

Victim
Initial Infection
Dropper unpacks on the Victim machine and runs Malware is updated/customized Malware is updated/customized

Update & Repurpose

Initial C&C and 2nd Repurpose

Evasion Cycle Continues

Designed to: Be stealthy, stay low and slow act like a user Steal PII, application credentials, intellectual property Transfer funds, conduct fraud Motivation: Its a highly organized ecosystem with one goal MAKE MONEY.

What Can Companies Due?

Pay Per Installer Cyber Brokers Cyber Criminals
WWW USB BYOD EMAIL Vector

Dropper

Updater

Downloader

Repository

C&C Portals Downloader

Repository

C&C Portals Downloader

C&C Proxies

C&C Proxies

Victim
Dropper unpacks on the Victim machine and runs Malware is updated/customized Malware is updated/customized

1. Assume infections will occur - while assets are inside AND outside your network Data 1. Conduct active monitoring - shift from prevention-only to include detection Theft a. Combine threat intelligence, content inspection & behavior-based communication discovery to rapidly detect hidden infections b. Use technologies that provide context and assess risk based on network activity 2. Arm your Incident Responders so they can take action

Damballa Failsafe
Enterprise Devices

Damballa Sensor(s)
DNS Proxy Egress

Deep packet inspection of all Internet traffic

Damballa FirstAlert Cyber Threat Intelligence

f(x)
Correlation of behaviors seen pinpoints infected devices

Is the destination suspicious? Is the traffic suspicious?

Low reputation, mixed use, or known bad

Suspicious content, DPI of payload / executables / files Do the events appear to be software or human driven

Is the behavior suspicious?

Damballa Failsafe hunts for hidden threats, victim machines actively communicating with cyber criminals.
5

Damballa Failsafe
Victim
Proxy Egress

Behaviors Seen

Threat Conviction Engine

DAMBALLA MANAGEMENT CONSOLE

f(x)

DNS
DAMBALLA SENSOR

Pre-correlated Infection Intelligence via CEF

Each Behavior Seen contributes to Conviction HP ArcSight ESM

Actionable Intelligence
Victims Identified Threats Classified Threat Activity Qualified

Threat Conviction Engine - correlates behaviors seen

DNS queries to suspicious destinations? Domain fluxing? Egress connection attempts? Proxy connection attempts? Non-human behavior? Suspicious binary downloads?
Threat Conviction Score (1-100)

f(x)
7

Actionable Intelligence
Victims Identified Relative Risk Assessed Threats Classified Threat Activity Qualified

Asset Risk Factor based on activity in YOUR network

Bytes In Bytes Out Connection Attempts Category # of Threats Severity AV Coverage Receiving instructions, updates, malware being repurposed? Indicative of the amount of data stolen? How frequently is the asset communicating with a C&C? Where does the asset sit / who does it belong to? Is the asset compromised with more than one threat? What is the risk of the threat? For a specific threat, what is my relative AV coverage? Local Local Local Local Local Global Global
8

f(x)

Actionable Intelligence
Victims Identified Relative Risk Assessed Threats Classified Threat Activity Qualified

Full forensics for all behaviors seen

Full Forensics
All Events in Sequence Full PCAPs for malicious traffic Malicious malware captured Malware trace reports (host and network behaviors) Bytes in / Bytes out Ports / Traffic type Connection status (failed, proxy blocked, completed) Category and priority of risk of endpoint Threat operator profile Endpoint compromise history Geo-location of C&C
9

CEF Output
CEF:0|Damballa|Failsafe|5.0|Convicted host|Evidence|9|app=TCP cat=Connection Attempt cfp1=4.2 cfp1Label=Asset Risk Factor cn1=10 cn1Label=Threat Conviction Score cn2=53 cn2Label=Local Severity cs1=Sality-01 cs1Label=Threat Name cs2=Sality cs2Label=Industry Name cs3=http://myhost/botnet/Sality-01 cs3Label=KB Link cs4=initiated cs4Label=Connection Status cs6=http://myhost/assets/4 cs6Label=Asset Detail Link destinationDnsDomain=efbwm.egozdq.com dst=66.0.0.1 dvchost=Combo externalId=260 in=186104 out=16116 proto=TCP rt=1299092964000 src=198.22.69.4 start=1299092964000
Event Scenarios Signature ID (String) Severity (Integer) msg (String) cat (String) src (IPv4 Address) shost (String) smac (MAC Address) destinationDnsDomain (String) dst (IPv4 Address) request (String) in (Integer) out (Integer) proto (String) app (String) cs1Label (String) cs1 (String) cs2Label (String) cs2 (String) cs3Label (String) cs3 (String) cs4Label (String) cs4 (String) cs6Label (String) cs6 (String) cn1Label (String) cn1 (Long) cn2Label (String) cn2 (Long) cfp1Label (String) cfp1 (Custom Floating Point) cfp2Label (String) cfp2 (Custom Floating Point) externalId (String) dvchost (String) Connection Attempt to C&C Convicted 9 Compromised Connections 198.22.69.4 (source hostname) (source host mac) (destination domain) (destination IPv4) (URL) (bytes) (bytes) (protocol) (app) Threat Name (Threatname) Industry Name (Industry Name) KB Link (KB Link) Connection Status (connection status) Asset Detail Link (Asset Detail Link) Threat Conviction Score (TCS) Local Severity (LS) Asset Risk Factor (ARF) Incident Severity (IS) (unique event ID) (sensor name)
10

Integration with HP ArcSight Logger

All DNS traffic captured by
HP ArcSight Logger can be sent to a single Damballa sensor

No Damballa sensor
needed at the DNS servers/server clusters

11

Damballa & HP ArcSight

Bart Westerink Director Information Security

Architecture

Simple Deployment

Install Damballa Failsafe sensors at egress points only We use HP ArcSight connector to collect DNS events from smaller offices. HP ArcSight Logger forwards events to central Damballa Failsafe sensor

Improved Incident Response

Damballa Management Console sends CEF events to syslog connector ESM alerts SOC when TCS threshold is exceeded ESM kicks off script to start collecting host information (OS, User) ESM opens up case in SupportForce Correlation with other hosts on suspicious active list Once we confirm threat is real - we can generally remove the client from the network in about 20-30 mins

Improved SOC Productivity

Data we receive from Damballa is enough to take action Increased visibility into threats - SOC now spends less time doing research, productivity has improved Damballa Management Console - used for deeper dives Threat research Packet traces Malware analysis Validate white-listing solution event volume is low Few false positives Resources

Results!

Results!

Results!

Results!

Results!

Results!

 Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.