Public Sector Challenges to Combating Cyberthreats Industry Perspective
Public Sector Challenges to Combating Cyberthreats 1
Private companies, organizations and even the federal government spend billions every year on various forms of perimeter security. Between firewalls, IPS/IDS devices, endpoint detection solutions, sandboxing, direct security information and event management (SIEM) monitoring and traditional antivirus and antimalware installations, most organizations seem to be bristling with protections that should make them secure – at least on paper. But the truth is, unfortunately, very different.
Industry Perspective 2
Successful malware infections are on the rise, as are the losses sustained by companies trying to defend against today’s most advanced threats. One in 151 emails in the public sector were identified as malicious in 2015 and recent studies have blamed malware infections for over $300 billion in losses by U.S. companies alone in 2016. Those losses came from the theft of intellectual property, the direct stealing of money from accounts and the costs incurred to clean up after each breach. It does not take into account the loss of confidence, and thus business, by customers who may have had their personal data stolen, which could make that number much higher. How can infections and successful breaches be on the rise even when there is more spending at the same time trying to stop them? The problem is that most security products rely on their ability to search for known indicators of compromise. If a malicious program tries to reach out to a command and control server that has been flagged as a host for malware, alerts are generated and the process can be halted. But today’s attackers, especially the wellfinanced ones supported by large criminal organizations or even nation-states, know how that protection works. They spend as much time studying existing defenses as writing new attacks, and work very hard to circumvent them. Many of today’s most advanced persistent threats (APTs) and cutting-edge malware programs are created specifically to get around traditional protection. They are designed so that they never need to make use of known servers and domains, and don’t ever check in to the same place twice. Like real-life spies who never backtrack to the same meeting location, this new breed of malware can stay one step ahead of any protection scheme that has to rely on knowing pervious behavior. In fact, the only way to detect and defeat this kind of advanced threat is by employing powerful data analytics. Protection can’t simply follow behind the malware, hoping to somehow catch up. In this industry perspective, GovLoop and HPE have partnered to discuss solutions to prevent issues like these – solutions that can analyze the malware’s communications, identify it as such even if it never touches a blacklisted site and enable analysts to neutralize the core program before it can do any harm.
Public Sector Challenges to Combating Cyberthreats 3
Attackers Armed With Algorithms Most malware and all APTs have persistency on a compromised endpoint, as well as lateral movement to other hosts within the network, as their core goal. Over 95 percent of malware accomplishes this using domain name system (DNS) requests that allow the malicious program to communicate with a command and control server. The server can both record data being exfiltrated and send back instructions to the program about what to do next. It can also open a channel to give the attacker outside control over the compromised endpoint, and help it to populate to other hosts within a network.
In these new types of attacks, the malware is armed with the ability to generate random DNS with which to communicate based on a pre-loaded algorithm. Command and control servers leverage the same algorithm to register and listen for requests on the same randomly generated domain name. Both malware and command and control servers know exactly how and when to communicate over these never before used domains, which can be used and cycled through by the day or even by the minute.
Most perimeter security programs use the blacklisting of known hacker servers to stop or block this communication. As new threats spread, more servers, domains and compromised IP addresses are added to the blacklist, though there is often a delay in this process that can last anywhere from a few minutes to a few months. Eventually, most heavily trafficked compromised servers become blocked by most forms of protection, though hackers can still leverage the delay time to cause a lot of damage.
On the backend, the attackers have streamlined the process of DNS registry so that they can create and register new domains that are only going to be used for a few minutes or even a few seconds – just long enough for malware to check in with its control servers. These domains can even be paid for using bitcoin to help maintain the anonymity of the attackers and prevent tracking. After that, the domain may never be used again, is likely dissolved, and certainly never becomes subject to any form of blacklisting. If it ever does become blacklisted, it will happen well after the fact.
Some of the most advanced threats circulating today have gotten around this process all together, creating strains of malware whose communications are almost immune to any blacklisting. Ironically, these new attacks are modeled after a very secure way of protecting websites from intruders, dualfactor authentication.
An especially alert analyst may notice that a program on one of his or her protected endpoints reached out, in the past, to a blacklisted site as new information becomes available. This could lead to the destruction of the program, but generally, so much time has elapsed at that point that the malware has likely spread to other hosts that are similarly operating independently with their own algorithms, making eradicating the entire APT a difficult process even if evidence of its presence is eventually uncovered.
⇽ Over 95 percent of malware uses domain name system (DNS) requests that allow the malicious program to communicate with a command and control server.
Industry Perspective 4
Stopping the Unstoppable, Knowing the Unknown The only way to effectively combat this new breed of algorithm-equipped malware is by examining DNS records, a tactic that very few government organizations currently employ. But that is kind of like suggesting that someone needs to build a rocket if they want to go to the moon. It’s true, but doesn’t really explain how it could be done, or convey the inherent difficulty in such a process. For example, funneling all DNS traffic into a SIEM for analysis is a perfect recipe for overloading it in conjunction with all the other factors a SIEM must monitor. Besides incredibly inflating the costs paid based on events per second or gigabytes per day, such a plan would only capture half the clues needed to detect an advanced algorithm-using threat, namely the outgoing DNS requests. What is needed is a dedicated tool that could concentrate solely on DNS traffic outside of a SIEM or even independently in the absence of one. And it would need the capability to examine both the outgoing DNS requests and the responses that came back. The return responses are important because not only do they help indicate the presence of algorithm-generated DNS requests, they can also be used to prioritize threat response. A jumble
of failed DNS responses from non-existent domains could indicate that the malware’s algorithm and its command and control server are out of sync, making it a lessor threat than one that is successfully communicating with its handlers. The dedicated DNS monitor should also be able to ignore the 99 percent of legitimate traffic that travels through federal agency networks every day. Doing so would enable it to concentrate just on the suspect traffic, greatly reducing system load. Ultimately, however, the success of such a program would depend on its ability to perform deep data analytics on factors that include the domain names themselves, previous domain lookup attempts, outgoing and incoming traffic and the patterns being used, among other things. It should be able to spot the difference between legitimate DNS traffic and that which is being generated by algorithm-equipped malware. And it should be able to perform that function in near real-time so that threats could be neutralized as quickly as possible, ideally before receiving lateral movement instructions or other commands from their control server.
Public Sector Challenges to Combating Cyberthreats 5
Gaining DNS Visibility With ArcSight DMA “ArcSight DNS Malware Analytics enables security organizations to detect and respond quickly to malware infections, preventing further damage and data exfiltration,” said Michael Polisky, Civilian Federal Solutions Architect for HPE Security Products. “Leveraging DMA’s analytic engine, organizations are able to detect previously unknown APTs by identifying anomalous DNS traffic, undetected by traditional signature-based methods.”
The ArcSight DNS Malware Analytics (DMA) solution from HPE is a standalone DNS examination tool that can be deployed independently or as part of the larger suite of cybersecurity products under the ArcSight umbrella. It can also interface with any existing SIEM program on the market today. ArcSight DMA is installed as one or more capture modules that only focus on DNS traffic. Each traffic module has four gigabyte ports, and an unlimited number can be deployed to cover any traffic volume. Deploying a lot of modules, however, will likely not be necessary. The program is able to quickly weed out and ignore most traffic, so the amount of bandwidth that needs to be processed will likely be below the threshold of one or two capture points. The program first identifies all the good DNS lookup requests. Any requests going to known good company websites, news organizations or established web pages are not going to be examined by ArcSight DMA. Why spend computing power trying to analyze a DNS lookup for www.hpe.com or www.govloop.com when they are known to be good, and obviously not generated by an algorithm? This eliminates 99 percent of the traffic. ArcSight also eliminates known bad traffic. If a host is trying to reach out to a blacklisted site that is part of a Zeus infection (a Trojan horse malware package), there is no need to try and determine if it’s legitimate. In that case, an alert can automatically be generated by the program or sent to the SIEM. Blacklisting may not work to catch the advanced threats that ArcSight is hunting, but can still be used to remove the low-hanging fruit of known threats. What is left is DNS traffic that falls into a gray area that is neither known good or bad. It’s where all algorithm-generated DNS requests will fall, along with other legitimate traffic to things like previously unknown domains. The DNS information for that traffic is encrypted and sent to the HPE analytics cloud to be examined. Once there, 21 proprietary algorithms are used to detect all algorithm-generated domains based on the domain names themselves, previous domain lookup attempts, outgoing and incoming traffic and other patterns that help to zero in on the presence of this advanced type of threat. The detection is so good, and the process so streamlined, that threats can be identified in near real-time.
In fact, ArcSight DMA can also identify a brand new and highly advanced technique where data is exfiltrated from compromised hosts by means of the DNS request itself. This new tactic hides stolen data within long DNS strings. The command and control server being contacted then uses an algorithm to reassemble that hidden data for the attackers. Almost no other program can detect data exfiltration using DNS lookup requests. Thankfully, this advanced tactic is still very rare, and almost only being deployed by nation-state-funded hackers. But ArcSight DMA can stop it, should it be deployed against a protected organization. Users can choose how to use the data provided by ArcSight DMA to improve their cybersecurity posture and protect their networks. The ArcSight DMA program provides a user-friendly, graphically rich interface that can be accessed using a web portal. This allows ArcSight DMA to run in parallel with a SIEM without ever interfacing with it, or even by itself if no SIEM exists. But the program is also designed to be completely agnostic in regard to existing defenses. Alerts from ArcSight DMA can be automatically sent to any commercial SIEM with a high degree of confidence that the reported threats are active and dangerous, and not false positives.
“ArcSight DNS Malware Analytics enables security organizations to detect and respond quickly to malware infections, preventing further damage and data exfiltration.” Michael Polisky, Civilian Federal Solutions Architect for HPE Security Products
Industry Perspective 6
The Time Is Right for Purposely Designed DNS Defense The newest breed of APTs and algorithm-equipped malware, with its ability to manipulate DNS traffic to prevent blacklist blocking, or even to hide stolen data within a DNS stream, represents one of the most advanced threats ever deployed. Designed to thwart most defenses, it does a great job staying one step ahead of traditional protection. It must be uncovered, analyzed and eliminated using a program like ArcSight DMA, which is equipped with the latest data analytics technology. A big data security analytics solution like ArcSight DMA can give government agencies visibility into their users, network, data and applications, making it much easier to gain information and anticipate, recognize and mitigate threats – keeping your agency, its data and your users safer than ever.
About HPE
About TSPi
About GovLoop
Hewlett Packard Enterprise is an industryleading technology company that enables customers to go further, faster. With the industry’s most comprehensive portfolio, spanning the cloud to the data center to workplace applications, our technology and services help customers around the world make IT more efficient, more productive and more secure.
Technology Solutions Providers, Inc. (TSPi) is a certified Small Disadvantaged Business providing performance driven end-to-end IT solutions to federal government customers. For over 15 years our business model, as well as our key to success, is based upon maintaining long-lasting relationships by delivering performance driven results. Our federal government customers can readily attest to our in house expertise, commitment to quality, reliability, and exceptional performance. TSPi is Capability Maturity Model Integration (CMMI) Level 3 appraised and International Organization for Standardization (ISO) 9000, 20000 and 27000 certified.
GovLoop’s mission is to “connect government to improve government.” We aim to inspire public-sector professionals by serving as the knowledge network for government. GovLoop connects more than 250,000 members, fostering cross-government collaboration, solving common problems and advancing government careers. GovLoop is headquartered in Washington, D.C., with a team of dedicated professionals who share a commitment to connect and improve government.
www.hpe.com | www.hpe.com/gov/ transformation | @HPE
Public Sector Challenges to Combating Cyberthreats 7
For more information about this report, please reach out to info@govloop.com.
1152 15th St. NW, Suite 800 Washington, DC 20005 (202) 407-7421 F: (202) 407-7501 www.govloop.com @govloop
Industry Perspective 8