Cybersecurity and fraud detection at ING Bank using Presto & Alluxio on S3
0 likes1,094 views
This document summarizes a presentation on cybersecurity detection at ING Bank. It discusses ING's distributed environment with data sources all over the world, the challenges of this for security, and how they use a SIEM system for detection. However, SIEMs have limitations like being mostly rule-based and slow. The presentation then demonstrates Alluxio as a solution for faster data access and detection. It shows how Alluxio can check for obfuscated powershell scripts in just 2 seconds using cosine similarity, whereas detection in a SIEM would be slower. Live demos are also provided of obfuscating a script and detecting the obfuscation.
![Rule based system - example
10
title: Suspicious Reverse Shell Command Line
status: experimental
description: Detects suspicious shell commands or program code that may be exected or used in command line to establish a reverse shell
logsource:
product: linux
detection:
keywords:
- 'BEGIN {s = "/inet/tcp/0/'
- 'bash -i >& /dev/tcp/'
- 'bash -i >& /dev/udp/'
- 'sh -i >$ /dev/udp/'
- 'sh -i >$ /dev/tcp/'
- '&& while read line 0<&5; do'
- '/bin/bash -c exec 5<>/dev/tcp/'
- '/bin/bash -c exec 5<>/dev/udp/'
- 'nc -e /bin/sh '
- '/bin/sh | nc'
- 'rm -f backpipe; mknod /tmp/backpipe p && nc '
- ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))'
- ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
- '/bin/sh -i <&3 >&3 2>&3'
- 'uname -a; w; id; /bin/bash -i'
- '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};'
- ";os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');"
- '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)'
- ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print'
- "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:"
- 'rm -f /tmp/p; mknod /tmp/p p &&'
- ' | /bin/bash | telnet '
- ',echo=0,raw tcp-listen:'
- 'nc -lvvp '
- 'xterm -display 1'
condition: keywords](https://image.slidesharecdn.com/2019-08-01alluxioglobalonlinemeetuping-190927233043/85/Cybersecurity-and-fraud-detection-at-ING-Bank-using-Presto-Alluxio-on-S3-10-320.jpg)
Cybersecurity and fraud detection at ING Bank using Presto & Alluxio on S3
- 1. Cybersecurity detection at ING Bank Presto / Alluxio / S3A / Superset Katowice, 1st August 2019
- 2. Agenda 2 • Who we are • ING structure • Standard way of working • HUNT Uses Cases / DEMO
- 3. Who we are? 3 • Mariusz Derela DevOps Engineer • Krzysztof Kuźnik Product Owner
- 4. Short introduction to ING Structure 4
- 5. • Financial regulations • Country regulations • Public cloud • Distributed Environment • „Follow the sun” way of working Challenges from Security point of view 5
- 10. Rule based system - example 10 title: Suspicious Reverse Shell Command Line status: experimental description: Detects suspicious shell commands or program code that may be exected or used in command line to establish a reverse shell logsource: product: linux detection: keywords: - 'BEGIN {s = "/inet/tcp/0/' - 'bash -i >& /dev/tcp/' - 'bash -i >& /dev/udp/' - 'sh -i >$ /dev/udp/' - 'sh -i >$ /dev/tcp/' - '&& while read line 0<&5; do' - '/bin/bash -c exec 5<>/dev/tcp/' - '/bin/bash -c exec 5<>/dev/udp/' - 'nc -e /bin/sh ' - '/bin/sh | nc' - 'rm -f backpipe; mknod /tmp/backpipe p && nc ' - ';socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i))))' - ';STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' - '/bin/sh -i <&3 >&3 2>&3' - 'uname -a; w; id; /bin/bash -i' - '$sendbyte = ([text.encoding]::ASCII).GetBytes($sendback2); $stream.Write($sendbyte,0,$sendbyte.Length); $stream.Flush()};' - ";os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);os.putenv('HISTFILE','/dev/null');" - '.to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)' - ';while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print' - "socat exec:'bash -li',pty,stderr,setsid,sigint,sane tcp:" - 'rm -f /tmp/p; mknod /tmp/p p &&' - ' | /bin/bash | telnet ' - ',echo=0,raw tcp-listen:' - 'nc -lvvp ' - 'xterm -display 1' condition: keywords
- 11. Numbers – example region 11 55 000 data sources all over the world 150 000 events per second 700B * 150000EPS = 8.25 TB/d Data sources Applications 400 OS 4200 DB 900 NET 90 MDW 80 § Data sources availability monitoring process § Component standardization in place (events normalization) § Monitor All initiative based on stack configuration (all new assets automatically added and removed from scope) § Experience in building distributed multi-tenant cloud computing and file system.
- 12. Cons of SIEM: - It is mostly rule based system - Correlation can be done only on „short” timeframe - Slow searching mechanism - SIEM != Log Collector Pros of SIEM: - Fast rule based system - Fast correlation engine - Real time alerting system 12 Why something else is needed?
- 14. 14 Main Problem - S3(a) or HDFS? 1.Cost 2.Elasticity 3.SLA (availability and durability) 4.Performance per dollar 5.Transactional writes and data integrity
- 15. 15
- 16. 16
- 18. Alluxio UI – More in the demo
- 19. How only 2 seconds?
- 20. 20
- 21. 21
- 23. • task automation and configuration management framework from Microsoft • Command-line shell • Scripting language • Built-in (PS1.0) since 2006: • WINDOWS XP SP2 / Windows Server 2003 / Windows VISTA Powershell 23
- 24. • Why bother ? • Avoding automatic detection (SIEM rule / Anti-Virus / … ) Obfuscation 24 https://github.com/Neo23x0/sigma/blob/master/rules/windows/powershell/powershell_suspicious_download.yml
- 25. • Why bother ? • Confusion Obfuscation 25
- 28. Live demo #1 (obsuscating script) 28
- 29. • Calculates character distribution and assigns a score • Detects Powershell obfuscation (obviously!) Cosine Similarity 29 https://en.wikipedia.org/wiki/Cosine_similarity
- 30. • In Alluxio we can check baseline in a few seconds • A few ways of accessing to data Summary 30
- 31. Live demo #2 (detect) 31
- 32. 32 In case live demo fails miserably
- 33. Clear 33
- 34. Obfuscated 34
- 35. Question? Katowice, 1st August 2019