internal host-reputation-webinar
DESCRIPTION
With so many new threat actors out there, IP reputation is becoming increasingly critical for effectively combating attacks. Under today’s security paradigm, administrators need to know not only about the bad guys lurking on the Internet, but also about the ones operating inside the network perimeter. Lancope uniquely provides both internal and external host reputation, better preparing organizations to: combat APTs and insider threats, address BYOD challenges, and deliver actionable information for security teams. Learn how to leverage internal host reputation to uncover a wide range of suspicious user behaviors such as: * Sending out an unusual amount of traffic * Communicating with known, bad external hosts * Accessing restricted areas of the network * Spreading malwareTRANSCRIPT
©2013 Lancope , Inc. All Rights Reserved
Internal Host Reputation
For Combating
Advanced Cyber Threats
Matthew McKinley
©2013 Lancope , Inc. All Rights Reserved
Agenda
Background
– What is IP reputation?
– Why is it important?
– How is it used today?
What is the Concern Index?
– Basic definition
– How it relates to reputation
The two sides of IP reputation
– External
– Internal
Combating Advanced Cyber Threats
– Internal Host Reputation as a function of the Concern Index
– The benefits of IHR
– How IHR can help with attacks that are not easily categorized
©2013 Lancope , Inc. All Rights Reserved
Background
IP reputation is a measure of how trustworthy (or more commonly untrustworthy) an IP is
– Based on association with SPAM, botnets, and other malicious activity
– Knowing the reputation of IP addresses gives administrators an idea of what to watch for, e.g. is someone on my network talking to a known botnet??
Today, External Host Reputation is used for a variety of purposes, but mostly as a way to identify when
– A known bad address has communicated with you, or…
– When someone on your network has communicated with a known bad address
©2013 Lancope , Inc. All Rights Reserved
The Concern Index
The Concern Index is a measure of, literally, how concerned one should be about a given host
– Concern Index Points are accumulated based on:
Behavior, e.g. deviation from norms, scanning activity, communication patterns, etc.
Communication with particular outside hosts
Movement of unexpectedly large amounts of data
Communication with unexpected parts of the network, e.g. a desktop talking to a server in a PCI environment
– The CI is calculated network-wide because of
Visibility provided by NetFlow data
– The CI can be leveraged for actions such as alarming, trending, reporting and...
– You guessed it: Reputation!
©2013 Lancope , Inc. All Rights Reserved
The Concern Index
Here is what the Concern Index looks like in use:
©2013 Lancope , Inc. All Rights Reserved
Reputation
Now wait a minute, I already know what reputation is! True. But there are 2 sides to the coin:
– External
– Internal
External is very useful and many, many security pros make use of one of the many reputation services.
– This is good for knowing what to block, what to look out for, etc.
The internal side is also just as important, but harder to do.
– External services cannot see the interior of your network
– Even if they could, the understanding and visibility required would be complicated
Hosts on the inside of the network misbehave, too.
– Data exfiltration
– Users hogging bandwidth
– Communication with command and control servers
– Attempted communication to forbidden parts of the network
©2013 Lancope , Inc. All Rights Reserved
Reputation
Internal Host Reputation is a more personal form of reputation service that is unique to your environment
– Issues can be spotted before they become problems
– Because of ISE integration, users can be tied to IP addresses
– Reputation can extend to virtual hosts
– Events leading to degraded reputation are easily accessible
©2013 Lancope , Inc. All Rights Reserved
Tying it all together
What does the Concern Index have to do with Reputation?
– The CI is a measure of how “out-of-bounds” a host on the network has become
– As we’ve discussed, there can be many reasons for that
– The more CI points a host accumulates, the more incorrectly it’s behaving
Dashboards are close friends of the Admin. The Reputation dashboard ranks hosts based on:
– Concern Index, with the worst offenders being at the top
Running a host snapshot for the top offender gives you an idea of:
– Its Reputation! How has this host been acting historically on my network?
©2013 Lancope , Inc. All Rights Reserved
Combating Advanced Cyber Threats
Perimeter defenses lack signatures for Advanced Cyber Threats
– Phishing
– Social Engineering
– Well engineered email attachments
– Insiders
Because the end result is similar, .i.e. the endpoints behaving in ways they might not normally, this accumulates CI points and puts those hosts on the CI dashboard.
Worm propagation can be tracked in this way, too.
If a user brings in an infected laptop that attempts to call a C&C server, it will accumulate CI points.
Hosts that are behaving the worst, particularly in the case of data exfiltration, are clearly visible.
©2013 Lancope , Inc. All Rights Reserved
Combating Advanced Cyber Threats
If a host is infected, it is possible to see an internal pivot to attack or infect other machines
Internal Host Reputation is a form of Data Analytics which can spot behaviors that signature-based systems would completely miss.
Attackers are well aware of the current counter measures, but countering analytics is much harder to do
Remember that StealthWatch provides IHR and links it to a user.
The battle against Advanced Cyber Threats is a battle against sophisticated behaviors, and it takes a behavioral solution to combat them.
©2013 Lancope , Inc. All Rights Reserved
Cyber Threats Dashboard
©2013 Lancope , Inc. All Rights Reserved
Conclusions
As the size of internal networks grows, internal reputation will become as important as external reputation
Perimeter devices cannot provide this level of information, only an internal visibility solution leveraging network telemetry such as NetFlow can accomplish this
Advanced Cyber Threats are not easily categorized and can only be identified with an analytical approach
– http://www.emc.com/collateral/industry-overview/h11240-advanced-threats-summit-2012-io.pdf
The Concern Index (and IHR) is a valuable tool for tracking potential threats, both internally and externally
©2013 Lancope , Inc. All Rights Reserved
Lancope at RSA 2013
Return of the famous Lancope Ninja Sword!
Visit booth #1653
Presentations by Tom Cross, Director of Security Research:
- Tuesday @ 4:30 pm
- Wednesday @ 2 pp
Email [email protected] to request a private demo at the event.
©2013 Lancope , Inc. All Rights Reserved
Get Engaged with Lancope!
@Lancope @NetFlowNinjas
Subscribe Join Discussion Download
@stealth_labs
Access StealthLabs Intelligence Center
(SLIC) Reports
Security Research
©2013 Lancope , Inc. All Rights Reserved
Thank you!