Best Practices for Thwarting an APT Attack with
IBM Security QRadar SIEM and Trend Micro Deep Discovery
IBM InterConnect, Las Vegas, February, 2016
Trend Micro & IBM Japan Inc.
What’s happening in Japan
2
Copyright 2016 Trend Micro Inc.
3
Copyright 2016 Trend Micro Inc.
Agenda
•
•
•
•
•
4
Introduction
Overview Deep Discovery Inspector
Key Solution
Success Case Story
Demo
Copyright 2016 Trend Micro Inc.
Introduction
5
Copyright 2016 Trend Micro Inc.
Takashi Sayama
Trend Micro Senior Security Engineer
• Help implement of CSIRT/SOC
• SIEM System Architecture
• Information Security Consulting
• 13 years: SIEM, SOC, ISP…
6
Copyright 2016 Trend Micro Inc.
Trend Micro
 26 years focused on security software, now largest pure-play
 Headquartered in Japan, Tokyo Exchange Nikkei Index (4704)
 8 consecutive years on Dow Jones Sustainability Indexes
Enterprise & VLE
 Customers include 48 of top 50 global corporations
 5200+ employees, 38 business units worldwide
Midsize
Business
Small Business
Consumer
7
Copyright 2016 Trend Micro Inc.
500,000 commercial customers
155 Million Endpoints
> 1 Million Servers
Leading the way with a history of
continuous security innovation
AntiMalware
Corporate
server
protection
Gateway virus Cloud-based
global threat
Protection
Intelligence
Mail server
protection
Agentless
security for
virtualized
environments
Protection
against targeted
attacks
Cloud security
Optimized for
AWS, VMware
Flexible
interconnected
threat defense
Deep
Discovery
More than just AV
•
•
•
•
•
•
8
Advanced Threat Detection
Anti-malware
Application Control
Application Scanning
Behavior Monitoring
Browser Exploit Protection
Copyright 2016 Trend Micro Inc.
•
•
•
•
•
•
Command & Control Blocking
Contextual Threat Analysis
Custom Sandboxing
Data Loss Prevention
Device Policy
Encryption
•
•
•
•
•
•
•
Host Firewall
Integrity Monitoring
Log Inspection
Threat Impact Assessment
Vulnerability Protection /
Intrusion Prevention
Web Reputation
Trend Micro
Deep Discovery Inspector
9
Copyright 2016 Trend Micro Inc.
Trend Micro Deep Discovery Inspector
Network-Wide Attack Detection
 Single network appliance
 Detection across all network traffic
•
Malware, C&C, attacker activity across 100+ protocols and all ports
 Custom sandboxing analysis
 Global threat intelligence drives rapid assessment and response
 Handles BYOD and other complex environments
•
10
Detection beyond Windows: mobile, Mac, Android, legacy systems and specialty
devices…
Copyright 2016 Trend Micro Inc.
Trend Micro Deep Discovery Inspector
Product Overview
•
•
•
•
•
Network Sensor
Visualize Unknown Threats/Suspicious Behaviour in network
100 Protocols, All network ports are covered
Collects suspicious files and performs sandbox analysis
Daily, Weekly, Monthly reports
Little impact to existing environment:
• No INLINE installation
• Power, IP Address and Mirrored Port are all that is required
• Form factor: appliance / virtual appliance
11
Copyright 2016 Trend Micro Inc.
Top 3 Solution Differentiators
Smart
360-degree network wide detection of
targeted attacks
Simple
Low cost to deploy & manage
Security that fits
Fits evolving ecosystem & enables sharing of
intelligence across solution areas
12
Copyright 2016 Trend Micro Inc.
Key Points
•
•
•
•
Can detect internal suspicious activities
Has multiple analysis engines (including Sandboxes)
Can monitor many protocol connections (like SMB)
Has many detection rules
Challenges:
• Due to the nature of targeted attacks, indicators are often spread across
different protocols and technologies.
• It’s difficult for an Administrator to prioritize which threats are most
harmful.
13
Copyright 2016 Trend Micro Inc.
Analysis Flow for Deep Discovery Inspector (DDI)
“Analysis Flow” for DDI event handling operation:
【 Data Flow 】
１.Black List
Analysis
2.White List
Analysis
3.Use Case
Analysis
4.Rule Detect
Analysis
14
Compare with Black List.
If YES, send alert.
Compare with White List.
If YES, get off from log.
Compare with Use Case.
If YES, send alert as a
suspicious behavior.
Compare with Rule Detect.
If YES, set severity and send
alert (severity =>High).
Copyright 2016 Trend Micro Inc.
Black List log
White List log
Use Case log
Rule Detect (High) log
Rule Detect (Med/Low) log
Concerns about analysis flow
【 Data Flow 】
Black List log
White List log
Use Case log
Rule Detect (High) log
Rule Detect (Med/Low) log
15
Copyright 2016 Trend Micro Inc.
Possibility of “False Negative”
I wanted some function to resolve
False Negative problem.
QRadar Correlation Engine
QRadar Analysis Flow
Black activities as an offense
- Critical / High event
- Medium / Not offense
Make Low severity offense
- Amount by time
- Not white lists
Correlate other event
- Correlate other events of DDI
- Correlate other logs like IDS
Suspicious
16
Copyright 2016 Trend Micro Inc.
Sensor vs SIEM
•
•
•
•
•
•
•
Sensor can detect suspicious activities easily
Administrator must monitor logs of sensor
Can’t find cyber kill chain by single sensor
SIEM has intelligent function for security analysis
Administrator can notice suspicious activities easily
Can’t detect suspicious activities without logs
Most important thing is how to find suspicious activities
Important thing……
• We need both a sensor and SIEM
• We must have analysis logic for cyber threats
17
Copyright 2016 Trend Micro Inc.
Solution Details
18
Copyright 2016 Trend Micro Inc.
Solution Overview
“Detection” and “Analysis”
Trend
Micro
DDI
Deep
Discovery
Inspector
IBM
Qradar
（SIEM）
Trend
Micro
Analysis
Logic
19
Copyright 2016 Trend Micro Inc.
TM Knowledge
Trend Micro Analysis Logic
• Trend Micro engineers have been researching Suspicious
Activities like APT
• Analysis Logic is their knowledge of how to find cyber threats
• This knowledge is input as “Custom Rules” in QRadar
• We have a template of “DDI Custom Rules”
• 6 Categories, and 15 Rules
• Can be customized for each customer’s environment
• Can find Suspicious Activities by QRadar Correlation Engine
• “Analysis Logic” is continually updated by Trend Micro
20
Copyright 2016 Trend Micro Inc.
Analysis Logic Sample
21
Rule name
Importance
Objective
Operation action
High-risk malware
detection
Critical
If Malware name used in APT attack
matches open information announced
from Trend Micro, notify as High incident.
Notify by e-mail
Notify by SNMP
Suspicious EXE file
drop
Critical
Detection of executable file by DDI of the
communication if the following
information is included
•
System32
•
RECYCLER
•
AppData
•
PSEXESVC.exe
Check if it is intended for business
Investigation of the computer
Malware URL
requested
High
If the malware target access the URL site
in DDI, SIEM also detects it by the rule
From the SIEM, correlation analysis with
other log source(IPS,Qflow,etc.)
If the URL is described, analyze via external
site( for example: Site Safety Center, Virus
Total,etc.)
QRadar’s right click connection, can
analyze external site analysis using GUI
Suspicious archive file
uploaded behavior
Critical
If the file name “rar” is used and from the
upload event, use rule detect
Check if it is intended operation
C&C Server Access
Critical
Detect access to C&C domain site
Destination IP client terminal investigation
Block connecting domain
Copyright 2016 Trend Micro Inc.
Analysis Logic Sample（C&C Server Access）
Communication that
accesses C&C Server
DDI
Explanation
Detection of communication that access to C&C server used in Targeted
Attacks. HTTP communication that generates for specific malware and IP and
URL’s classified as C&C in Trend Micro’s database.
Target
1.1 APT Callbacks
1.2 Web Reputation (C&C)
1.3 IRC bot command
Concrete
detection
Malware that generates C&C server connection communication detection.
・IP and URL’s classified as C&C in Trend Micro Smart Protection Network
・Communication that generates for specific malware to specialized in targeted
attacks (following examples）
• Communication by POISON Ivy
• Communication by PLUGX
• Communication by DERUSBI
22
Copyright 2016 Trend Micro Inc.
Solution Advantages
23
Scrutinize
Logs
• From the analysis knowledge, quick
detection of “High Risk” event
• Customize analysis of event according
to customer’s environment
Quick
correspondence
available
Correlation
Analysis
• Not only by single event, but
determine by multiple events
• Trigger by DDI log, and analyze
correlation with other logs (eg. Proxy)
Advanced
analysis
available
Copyright 2016 Trend Micro Inc.
Success Case Story
24
Copyright 2016 Trend Micro Inc.
Success Story: Financial Services Co.
Use Trend Micro Deep Discovery Inspector
- Able to find suspicious activities
- Experienced in security operations
Key Issues:
- They couldn’t handle the large number of events
- They weren’t able to do real-time log analysis
25
Copyright 2016 Trend Micro Inc.
Success Story: Financial Services Co.
They adopted our solution for security operation.
As a result, they were able to expand a secure environment.
Before
After
DDI
26
DDI
• Download Excel,
• Check logs the the
next morning.
• Store DDI and Proxy logs to
QRadar.
• Real time analysis by analysis logic.
• Only specific events
• Day behind handling
• Monthly statistical
analysis
• Real time detection of threats by
Analysis Logic
• Target handling all events thanks to
Offense
• Correlation analysis with proxy log
Copyright 2016 Trend Micro Inc.
Demo
27
Copyright 2016 Trend Micro Inc.
Demo: Attacker Scenario
1. Attacker remotely accesses & infects client PC from
another PC
2. Remotely copy executable file
3. Remotely add job
4. Execute job and access it to the C&C server
Attacker
1. Copy executable file
Suspected client
infected by back door
3. Access to C&C server
2. Add job
C$（Administration Share）
28
Copyright 2016 Trend Micro Inc.
401
Thank you
TRENDMICRO.COM/CLOUD
29
Copyright 2016 Trend Micro Inc.