Professional Documents
Culture Documents
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.
Advanced Threats: Damballa & HP ArcSight Help Salesforce.com Stay One Step Ahead
Stephen Newman - VP Product Management, Damballa Bart Westerink - Director of Information Security, Salesforce.com
Dropper
Updater
Downloader
Repository
Repository
C&C Proxies
C&C Proxies
Victim
Initial Infection
Dropper unpacks on the Victim machine and runs Malware is updated/customized Malware is updated/customized
Designed to: Be stealthy, stay low and slow act like a user Steal PII, application credentials, intellectual property Transfer funds, conduct fraud Motivation: Its a highly organized ecosystem with one goal MAKE MONEY.
Dropper
Updater
Downloader
Repository
Repository
C&C Proxies
C&C Proxies
Victim
Dropper unpacks on the Victim machine and runs Malware is updated/customized Malware is updated/customized
1. Assume infections will occur - while assets are inside AND outside your network Data 1. Conduct active monitoring - shift from prevention-only to include detection Theft a. Combine threat intelligence, content inspection & behavior-based communication discovery to rapidly detect hidden infections b. Use technologies that provide context and assess risk based on network activity 2. Arm your Incident Responders so they can take action
Damballa Failsafe
Enterprise Devices
Damballa Sensor(s)
DNS Proxy Egress
f(x)
Correlation of behaviors seen pinpoints infected devices
Suspicious content, DPI of payload / executables / files Do the events appear to be software or human driven
Damballa Failsafe hunts for hidden threats, victim machines actively communicating with cyber criminals.
5
Damballa Failsafe
Victim
Proxy Egress
Behaviors Seen
f(x)
DNS
DAMBALLA SENSOR
Actionable Intelligence
Victims Identified Threats Classified Threat Activity Qualified
f(x)
7
Actionable Intelligence
Victims Identified Relative Risk Assessed Threats Classified Threat Activity Qualified
f(x)
Actionable Intelligence
Victims Identified Relative Risk Assessed Threats Classified Threat Activity Qualified
Full Forensics
All Events in Sequence Full PCAPs for malicious traffic Malicious malware captured Malware trace reports (host and network behaviors) Bytes in / Bytes out Ports / Traffic type Connection status (failed, proxy blocked, completed) Category and priority of risk of endpoint Threat operator profile Endpoint compromise history Geo-location of C&C
9
CEF Output
CEF:0|Damballa|Failsafe|5.0|Convicted host|Evidence|9|app=TCP cat=Connection Attempt cfp1=4.2 cfp1Label=Asset Risk Factor cn1=10 cn1Label=Threat Conviction Score cn2=53 cn2Label=Local Severity cs1=Sality-01 cs1Label=Threat Name cs2=Sality cs2Label=Industry Name cs3=http://myhost/botnet/Sality-01 cs3Label=KB Link cs4=initiated cs4Label=Connection Status cs6=http://myhost/assets/4 cs6Label=Asset Detail Link destinationDnsDomain=efbwm.egozdq.com dst=66.0.0.1 dvchost=Combo externalId=260 in=186104 out=16116 proto=TCP rt=1299092964000 src=198.22.69.4 start=1299092964000
Event Scenarios Signature ID (String) Severity (Integer) msg (String) cat (String) src (IPv4 Address) shost (String) smac (MAC Address) destinationDnsDomain (String) dst (IPv4 Address) request (String) in (Integer) out (Integer) proto (String) app (String) cs1Label (String) cs1 (String) cs2Label (String) cs2 (String) cs3Label (String) cs3 (String) cs4Label (String) cs4 (String) cs6Label (String) cs6 (String) cn1Label (String) cn1 (Long) cn2Label (String) cn2 (Long) cfp1Label (String) cfp1 (Custom Floating Point) cfp2Label (String) cfp2 (Custom Floating Point) externalId (String) dvchost (String) Connection Attempt to C&C Convicted 9 Compromised Connections 198.22.69.4 (source hostname) (source host mac) (destination domain) (destination IPv4) (URL) (bytes) (bytes) (protocol) (app) Threat Name (Threatname) Industry Name (Industry Name) KB Link (KB Link) Connection Status (connection status) Asset Detail Link (Asset Detail Link) Threat Conviction Score (TCS) Local Severity (LS) Asset Risk Factor (ARF) Incident Severity (IS) (unique event ID) (sensor name)
10
No Damballa sensor
needed at the DNS servers/server clusters
11
Architecture
Simple Deployment
Install Damballa Failsafe sensors at egress points only We use HP ArcSight connector to collect DNS events from smaller offices. HP ArcSight Logger forwards events to central Damballa Failsafe sensor
Results!
Results!
Results!
Results!
Results!
Results!
Copyright 2012 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice.