Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
4 likes1,580 views
SDN capabilities like micro-segmentation, service chaining, and security orchestration can disrupt the APT kill chain. SDN allows automatic provisioning of dynamic security policies. It restricts lateral movement and transparently inserts compensating controls. Security orchestration further automates responses by leveraging intelligence to update network and host-based defenses based on incidents. Together, these SDN features counter APT persistence and give attackers a moving target.
Orchestrating Software Defined Networks To Disrupt The Apt Kill Chain
- 1. #RSAC SESSION ID: Sean Doherty Deb Banerjee Orchestrating Software Defined Networks (SDN) to Disrupt the APT Kill Chain ANF-T08 Chief Architect, Data Center Security Products Symantec VP Technology Partnerships and Alliances Symantec @SeandDInfo
- 2. #RSAC A Quick Level Set
- 3. #RSAC The Phases of an APT Attack 3 1. Reconnaissance Attacker leverages information from a variety of sources to understand their target. 2. Incursion Attackers break into network by using social engineering to deliver targeted malware to vulnerable systems or by attacking public facing infrastructure. 3. Discovery Once in, the attackers stay “low and slow” to avoid detection. They then map the organization’s defenses from the inside and create a battle plan and deploy multiple kill chains to ensure success. 4. Capture Attackers access unprotected systems and capture information over an extended period. They may also install malware to secretly acquire data or disrupt operations. 5. Exfiltration Captured information is sent back to attack team’s home base for analysis and further exploitation.
- 4. #RSAC Characteristics and Capabilities of Software Defined Things 4 Abstraction Instrumentation Automation Orchestration Agility Adaptability Accuracy Assurance Characteristics Capabilities
- 5. #RSAC What is SDN – Definitions and Key Concepts 5 This architecture decouples the network control and forwarding functions enabling the network control to become directly programmable and the underlying infrastructure to be abstracted for applications and network Agile: Abstracting control from forwarding lets administrators dynamically adjust network-wide traffic flow to meet changing needs. Programmatically configured: SDN lets network managers configure, manage, secure, and optimize network resources very quickly via dynamic, automated SDN programs, Source: https://www.opennetworking.org/sdn-resources/sdn-definition
- 6. #RSAC Data Center Security Controls: Host-Based 6 Controls • IDS/IPS • Anti-Malware • Detection/Response Technologies • Signature • Behavioral • Correlation Challenges • Operational Complexity • Impact Analysis • “Will updating a host-based security policy cause an outage?” • False Positives Shellshock Compensation: (CVE-2014-6271)
- 7. #RSAC Data Center Security Controls: Network-Based 7 Controls • Firewalls/VLAN-based Segmentation: Zones, Applications, Tiers, • Network IDS/IPS • Packet Inspection for exploit payloads • DLP : data egress detection Challenges • Operational Complexity • Resource Consumption • False Positives • “Can’t scan all traffic for all exploits”
- 8. #RSAC A ‘Typical’ Data Center Network
- 9. #RSAC 9 Load Balancer WEBA WEBB FEECOM001 FEECOM002 FEECOM003 FEECOM004 Firewall CRMAPP1 CRMAPP2 ECOMPRDA ECOMPRDB Application BApplication A
- 10. #RSAC Attack Scenario 10 Source: Symantec ISTR : Volume 18 1 0 25% have critical vulnerabilities unpatched 53% of legitimate websites have unpatched vulnerabilities APT that leverages public facing infrastructure vulnerabilities Lots of these to chose from Our scenario a classic 3 tier public web facing application in traditional infrastructure
- 11. #RSAC WEBA WEBB FEECOM001 FEECOM002 FEECOM003 FEECOM004 CRMAPP1 CRMAPP2 ECOMPRDA ECOMPRDB The Attack 11 Load Balancer Firewall Application BApplication A
- 12. #RSAC Micro-segmentation A new model for data center security 12 STARTING ASSUMPTIONS Assume everything is a threat and act accordingly. DESIGN PRINCIPLES 1 2 3 Isolation and segmentation Unit-level trust / least privilege Ubiquity and centralized control
- 13. #RSAC 13 Load Balancer Firewall Application BApplication A WEBA WEBB FEECOM001 FEECOM002 FEECOM003 CRMAPP1 CRMAPP2 ECOMPRDA ECOMPRDB FEECOM004
- 14. #RSAC 14 Load Balancer Firewall Application BApplication A WEBA WEBB FEECOM001 FEECOM002 FEECOM003 FEECOM004 CRMAPP1 CRMAPP2 ECOMPRDA ECOMPRDB Firewall
- 15. #RSAC If only everything was as easy as a diagram in PowerPoint 15
- 16. #RSAC Logical View of SDN Architecture 16 NSX Manager, APIC Manager NSX Controller, Nexus 9000 Firewalls, Network IDS/IPS, Network DLP
- 17. #RSAC SDN Creating the Dynamic and Secure Data Center Orchestration Policy Service Chaining Micro Segmentation State Dynamic and Secure Data Center
- 18. #RSAC Micro-Segmented Architecture 18 Load Balancer ESXPRD01 ESXPRDA1 ESXPRDD6 ESXPRDB3 Firewall PRDSVR01 Private Cloud with Application A & B ESXPRDFA ESXPRDFE ESXPRDD D ESXPRDA2
- 19. #RSAC Micro-segmentation with SDN Each Workload is: Isolated Requires all routing to be pre defined Physical workloads and VLANS Control Plane NSX Manager Data Plane Distributed switching, rou ng, firewall REST API Management Plane vCenter Example Using VMware NSX
- 20. #RSAC Service Chaining with SDN Security controls including • IPS • Firewall • DLP can be dynamically added to any traffic flow Security Admin Traffic Steering DashboardSecurity Policy Example VMWare NSX and Symantec DCS:Server
- 21. #RSAC State Static State Applications Vulnerabilities/Exploits Dynamic State IoCs Network Traffic Data Flow and DLP Events Host and Network Intrusion Events Anomaly detection State Applicati ons Vulnerabilit ies/Exploits IoCs Network Traffic Data Flow and DLP Events Host and Network Intrusion Events Anomaly detection
- 22. #RSAC Policy Infrastructure Provisioning •vCenter •NSX •ACI •AWS Security Provisioning Policies •Firewall, Segmentation •IPS •Anti-Malware •DLP •Host Integrity Security Response Policies •Currently Ad-Hoc in the future standards required
- 23. #RSAC Orchestration = SDN + State + Policy 1. Applica on Admin Upgrades Web Services 4. VA conducts scan Vulnerability Manager Hypervisor Change App Event 2. Host-based Security detects change App Event and reports. Security Orchestrator 3. Security Orchestrator: Based on a ributes of applica on determines Vulnerability Assessment is required. CVSS High Exploitable 5. VA returns results to Security Orchestrator: “CVSS High and Exploitable.” SDN Manager 6. Security Orchestrator recommends mi ga ons op ons -Network Security policy (E.g. quaran ne) -Host-based Security(System Hardening) 7. Sec Admin selects Network Security policy. 8. “Quaran ne Tag” to Network Security device Network Security Device 9. PAN applies access control to allow only admin access to VM. 10. VM is placed in SDN “Quaran ne” Security Group Quaran ne
- 24. #RSAC SDN Creating the Dynamic and Secure Data Center Orchestration Policy Service Chaining Micro Segmentation State Dynamic and Secure Data Center
- 25. #RSAC Orchestrating SDNs to disrupt APTs Automated Policy Based Provisioning Consistently apply appropriate controls Moves with the workload, and cleans up behind itself Remove ‘Legacy’ or Temporary Rules and Routes Restrict the ability for the attacker to traverse the network east-west Transparent Service Chaining of Compensating Controls Add, change or remove controls without detection Leverage real-time intelligence to automate this process 25
- 26. #RSAC Orchestrating SDNs to disrupt APTs cont. Tap/Probe insertion during IR Systematic Workload Provisioning Give the attacker a moving target to hit without disrupting the application Honey-Pots and Honey-Nets 26
- 27. #RSAC Summary 27 SDN is a key capability for introducing micro-segmentation and service chaining to facilitate dynamic response to APT attacks Security controls must offer API’s for feeds and for automated response for incidents Apply the persistence of malware against the attack Security orchestration systems can automate policy updates to network and host-based security controls for faster and targeted APT responses SDN’s enable us to optimize infrastructure and operational resource consumption for APT responses
- 28. #RSAC Short Term Evaluate how SDN can help you create fine-grained segmentation zones with lower operational costs Medium Term Redefine your data center strategy for orchestration Threat Detection: malware, data loss, behavioral and IoC’s Vulnerability Management: assessment, prioritization and compensation Automation: Controls with APIs, application level policies and context Pilot Security Automation on SDN Long Term Change the asymmetry of the APT attack 28 Apply What You Have Learned Today