F-Secure Rapid Detection & Response Service - Service Description
←
→
Page content transcription
If your browser does not render page correctly, please read the page content below
F-Secure
Rapid
Detection
& Response
ServiceMAY 2018 F-Secure Rapid Detection & Response Service 3
F-SECURE
RAPID
“A LOT OF THE ATTACKS WE’RE SEEING NOWADAYS
AREN’T ‘ADVANCED PERSISTENT THREATS’, THEY’RE
SIMPLE HACKS PERFORMED BY ‘ADEQUATE PERNICIOUS
DETECTION
TOERAGS’.”
Dr. Ian Levy
GCHQ
& RESPONSE
Cyber
Security WATCHING OVER YOUR
SERVICE
Experts ENVIRONMENT 365/24/7
From the field Nothing illustrates this phenomenon better
Over the last few years, you’ve probably than the group we’ve dubbed “The Roma-
Max 30 FROM DETECTION heard phrases such as “the tactics, tech- nian Underground”. This is a group that we
have had first-hand experience with on a
minutes TO RESPONSE niques, and procedures crafted by highly
number of occasions while performing inci-
resourced threat actors are falling into the
hands of less skilled adversaries”. That’s long dent response and forensics work.
€
speak for “expect a lot more script kiddies The Romanian Underground are, simply put,
Immediate AS A TURNKEY to start pwning your systems”. As Dr. Ian a bunch of IRC chat room buddies who de-
Return On MANAGED SERVICE Levy from GCHQ recently pointed out, a cided it would be cool to take up the hobby
Investment lot of the attacks we’re seeing nowadays of “hacking”. Most of these kids, upon join-
aren’t “Advanced Persistent Threats”, they’re ing the collective, have little to no Unix skills
simple hacks performed by “Adequate Per- to speak of. They probably know about five
nicious Toerags”. commands in total. Newcomers are taken
© 2018 F-Secure Corporation. All rights reserved. ‘F-Secure’ and F -logo are registered trademarks
of F-Secure Corporation. F-Secure product and technology names and F-Secure logos are either
trademarks or registered trademarks of F-Secure Corporation. Other product names and logos ref-
erenced herein are trademarks or registered trademarks of their respective companies.4 F-Secure Rapid Detection & Response Service F-Secure Rapid Detection & Response Service 5
F-SECURE “THAT'S NOT TO SAY THAT SKILLED ATTACKERS AREN'T
ALSO OUT THERE. BUT, AS A COMPANY THAT'S BEEN IN-
RAPID VOLVED IN MORE EUROPEAN CYBER CRIME INVESTIGA-
TIONS THAN ANY OTHER COMPANY IN THE WORLD, WE
DETECTION CAN TELL YOU THAT THERE'S NO POINT IN WORRYING
& RESPONSE ABOUT THE NSA OR APT28 UNTIL YOU KNOW YOU CAN
AT LEAST STOP THESE GUYS.”
SERVICE
under the wing of a mentor who provides become millionaires by selling soap - the webmail servers. What might surprise you The fact that these groups are able to com-
them with simple tools and training to get pyramid scheme is a form of gamification, (or not) is that these toolkits, in the hands of promise PCI-DSS-compliant organizations is
them started on their new hobby. These where the goal is to collect as many owned completely unskilled noobs, are being used a testament to the fact that purely preven-
mentors are almost as unskilled as the new- systems as possible and move up the ranks. to compromise even PCI-DSS-compliant or- tative cyber security solutions simply aren’t
comers - they probably know about five Naturally, it’s the guys at the top of the ganizations across the globe. cutting it anymore. And the reason why so
more Unix commands than their apprentic- pyramid who really benefit from all of this. The Romanian Underground represent many companies are now being owned in
es. But they’ve been in the game for a few They’re the ones providing the tools, and by just one of many groups that form part of this style is due to the fact that they simply
weeks already, and have a wealth of expe- pushing all their manual work downstream, a growing trend of low-skilled hackers and don’t have an ounce of visibility into post-
rience. they get access to thousands of compro- cyber criminals. The motives of the mas- breach activities on their networks.
As newcomers learn the ropes (which usual- mised systems. Meanwhile, the newcomers terminds behind these groups are, you That’s not to say that skilled attackers aren’t
ly implies that they’ve learned to configure are happy to proudly identify themselves as guessed it, financial gain. Acquiring access also out there. But, as a company that’s been
and use a couple of tools), they’re promoted “hackers” on their Facebook pages (along- to a large number of compromised com- involved in more European cyber crime in-
to mentors, and take on their own set of side other unrelated hobbies such as wind- pany networks allows them to cherry-pick vestigations than any other company in the
apprentices. This hierarchical model closely surfing or snowboarding). prime targets for cyber extortion and data world, we can tell you that there’s no point in
resembles popular pyramid selling schemes The toolkits being pushed down the pyra- exfiltration. And any company is a potential worrying about the NSA or APT28 until you
you might have had the misfortune to en- mid are usually designed to exploit or brute target. know you can at least stop these guys.
counter. Of course, the guys involved in The force common services such as SSH and
Romanian Underground aren’t looking to
Spear Phishing
Spyware
s
Reconnaissance
Hu
ck
Ransomware Lateral Movement
ta
ma
Banking Trojans Priviledge Elevation
onducted At
Self-replicating Botnets
n Co
Establishing Persistence
Remote Access Trojans Data Exfiltration
nducte
0,1%
Protection common 99,9% Usually no Protection
d
C
A
End-point protection Managed Detection & Response
e
hin
t
Email security Endpoint Detection & Response
ta
Firewall Incident Response Services
c
c
a
ks
M
... But targeted attacks have the potential to be a lot more damaging. And most orga-
Commodity threats, and the solutions that protect against them are commonplace...
nizations aren’t protected against those at all. Read on to learn more.6 F-Secure Rapid Detection & Response Service F-Secure Rapid Detection & Response Service 7
State
THE ANATOMY OF AN ATTACK “WHEN GDPR AND NIS REGULATIONS ARE EFFECTIVE, IT
In our experience, most companies only New TTPs first see use against governments, WILL BE MANDATORY FOR ORGANIZATIONS TO HAVE
discuss cyber security while on the broader military targets, and defense contractors. AN ANSWER TO DATA BREACHES.”
topic of risk management. While performing Next on the ladder are usually banks and
risk analyses, companies identify threats or critical infrastructure providers (such as en-
risks relevant to their organization and then ergy companies). The same TTPs then get
prioritize them based on likelihood, impact, used against heavy industry and finally, ev-
and cost to mitigate. When addressing cyber eryone else (manufacturing, retail, SMEs,
Defense
threats, we’ve noticed a potential discon- etc.).
nect between the risk that companies per- Threats to an organization aren’t limited to
ceive and the reality of the situation. We’d attacks from the outside. Accidental and
like to help clear that up. intentional leaks can and do originate from Cyber attacks come in many forms, ranging from commodity mal-
Sophisticated cyber attacks tend to start at company insiders with enough access to ware (such as ransomware) to highly skilled attacks performed by
the top and work their way down. It’s the critical or confidential assets. Upstream nation-state actors. We’ve broken these threats down into separate
opposite of “low-hanging fruit”. When new attacks, where a partner, supplier, or con- categories.
types of attacks are discovered, they’re usu- tractor are compromised by an attacker
Infrastructure
ally attributable to highly resourced threat looking to establish a beachhead in an adja- Commodity threats
actors (i.e. nation states). These adversaries, cent organization are also very common. In Commodity threats are highly prevalent, and have been for de-
by default, go after the highest-value targets several incident response cases we’ve been cades. A company’s chance of encountering commodity threats is,
first. As the tactics, techniques, and proce- involved with, even physical intrusion of a therefore, extremely high. However, due to their prevalence and
dures (TTPs) used in such attacks become company’s premises was used as part of the long history, there are plenty of good software solutions available
public knowledge, they trickle down into attack vector. designed to protect against these threats. And these solutions
the hands of less organized cyber criminals. work as intended. If a business is hit by a commodity threat (such
as crypto-ransomware), the impact is usually fairly low. Most of the
time it’ll be blocked by endpoint protection software. If it does get
through, there are two options – pay the ransom or fix the problem.
Don’t pay the ransom and a handful of staff will lose some productive
work time. Pay and, most of the time, you’ll get the data back. Ran-
High
Banks
som amounts are low by company standards. So, the likelihood of
seeing a commodity threat is high, the impact tends to be low, and
John
Podesta’s
NotPetya Regin the mitigation cost is basically free (we assume you’re smart enough
Gmail Havex
Trojan
Stuxnet/Duqu to be running an endpoint protection solution already).
Triton/
Trisis The
Shadow- Dukes
US
Office of
brokers
Slingshot
Cyber crime
Personnel Sofacy
Yahoo!
Breach Hacking- Cyber crime represents the next category on our risk assessment
Team
scale. This category moves beyond the realm of commodity mal-
Manufacturing
breach
Sony
Pictures
Shamoon ware threats, and onto targeted attacks. Companies are selected
Focus
SF Panama
Muni
Hack
Papers
Bangladesh as targets for various reasons. In some cases, a victim is chosen
Protection offered Bank
by typical corporate
Tesco
Bank Dridex because they are “broadcasting” themselves via weak or vulnerable
level of investment WannaCry infrastructure. Other targets are selected simply because the attack-
er has taken interest in a particular organization, for one reason or
Necrus
VTech Hack another.
Botnet Mirai
Botnet Cyber criminal attacks are often opportunistic - the attacker has an
easy way in, sees an opportunity to make money, and takes it. Cyber
Exploit
Crypto
Ransomware Kits crime is by-and-large financially motivated. Once the adversary has
Crypto-
miners breached the target’s network, systems or data will be held for ran-
som. We refer to this phenomenon as “cyber extortion”. These types
Low
of attacks are very much on the rise, and can target organizations of
Retail
Low Skills High any size, from SMEs to large enterprises.
We predict that the introduction of the NIS and GDPR regulations
Cyber Organized
Cyber Hacktivists/
Nation
State
will further embolden cyber criminals and cyber extortion schemes.
Crime Researchers
Crime Actors Once these regulations are in effect, companies may be more willing
to fork over a ransom, in order to sweep the news of a breach under8 F-Secure Rapid Detection & Response Service F-Secure Rapid Detection & Response Service 9
the rug rather than face the expensive task of
responding to and reporting the incident. “TARGETED ATTACKS DON'T CARE ABOUT YOUR ‘NEXT
Cyber crime can be broken down into rough- GEN’ PRODUCT, NO MATTER HOW SHINY THE VENDOR
ly two categories – organized and non-orga- CLAIMS IT TO BE. TO BE BLUNT, THE SOLUTIONS THEY’RE
nized. Organized cyber criminal groups are SELLING ARE FIXING THE WRONG PROBLEMS.”
very close, in terms of sophistication, to na-
tion-state actors. The Bangladesh bank attacks
of 2016 are a good example of organized cyber
crime. Non-organized cyber criminals often
run as lone wolves. They have less resources,
and their skill can vary. The Romanian Under-
ground falls into this category.
DON’T BELIEVE THE HYPE
Getting to the point of why we presented problem. Organizations are way too dis-
Two years ago, we’d have rated the likelihood
this risk analysis - we’ve noticed that there’s tracted to realize that they should start in-
of falling prey to cyber criminals as low. To-
still a very strong marketing push towards vesting in breach detection and response,
day, the likelihood is medium, and on the rise.
endpoint protection solutions. We’ve seen instead of another layer of protection
The financial and business impact of a targeted
“next gen” vendors claim that their solu- against commodity threats (although the
cyber crime attack can vary. In many of the
tions can prevent targeted attacks. Some adversaries would love you to do this). Let’s
cases we’ve responded to, ransoms demand-
even foolishly claim that breach detection put it this way - would you rather have your
ed by non-organized cyber extortionists only
is irrelevant, since it’s already “game over” next incident involve cleaning malware off a
ran into the tens of thousands of Euros - not a
if a threat gets through perimeter defenses. laptop in your sales department or dealing
hefty sum for most organizations. But we don’t
with a full-blown data breach?
imagine that any organization would simply pay It’s dangerously misleading.
the ransom and go about their business. The But don’t just take our word for it. Gartner
knowledge that an intruder is in their network Targeted attacks don’t care about your “next predicts that by 2020, 60 percent of enter-
is going to be enough to call in an incident re- gen” product, no matter how shiny the ven- prise information security budgets will be
sponse team to sort out the situation. dor claims it to be. To be blunt, the solutions allocated for rapid detection and response
they’re selling are fixing the wrong prob- approaches , which is an increase from less
If an adversary manages to exfiltrate import- lems. than 30% in 2016. So, ask yourself this: how
ant data, the costs of a cyber crime incident
Given this huge marketing push from “next much of your budget have you allocated to
can really start to skyrocket. This is especially
gen”, we’re not really surprised to see that breach detection and response right now?
true if customer data was involved. No matter
very few companies we’ve spoken to are We’re guessing it isn’t close to 60 percent.
what, a breach is most likely going to incur
aware of the need for breach detection and In our experience, only 10% of companies
reputational, legal, PR, business, and internal
response capabilities. And therein lies the we’ve talked to even had a budget allocated
productivity costs. And it’s not anymore limited
for breach detection and response.
to protecting your business and its sensitive
data, but regulatory bodies like NIS and Euro-
pean Union have made new requirements. For
example, EU’s General Data Protection Reg-
ulation (GDPR) requires organizations to be
adequately prepared to detect, respond and
report personal data breaches within 72 hours.
We’d venture that it would be a good time to By 2020, 60 percent of enterprise
start thinking about that if you so far have not. information security budgets will be
Nation state
allocated for rapid detection and
Companies that worry about being targeted by
response approaches, which is an
nation-state attacks typically know who they increase from less than 30% in 2016.
are. They also know that defending against a
nation-state attack is almost impossible. Re-
gardless, they’re forced to try (since they can’t
afford not to). The impact of nation-state at-
tacks can vary from having top secret intellec- Gartner 'Special Report
tual property stolen by overseas competitors Cybersecurity at the Speed of Digital Business’
or governments, to having your nuclear enrich- Paul E. Proctor, Ray Wagner, 30 August 2016
ment halted when centrifuges are destroyed.10 F-Secure Rapid Detection & Response Service F-Secure Rapid Detection & Response Service 11
tion and effective response will, in the eyes back in time to reconstruct the adversary’s
of the adversary, constitute a breach of their movements.
mission. Just imagine the frustration when an attack-
“ANY ORGANIZATION NOT RUNNING A BREACH DE- While it would seem that attackers have the er realizes that every move they’ve made
TECTION SOLUTION (OR NOT HAVING PERFORMED A advantage, there’s actually a lot that defend- has been monitored, that they’ve exposed
RECENT INVESTIGATION) MUST, IN THIS DAY AND AGE, ers can do to turn the tables on them. Every- their entire toolchain, and that they’ve ef-
ASSUME THEY'RE IN A POST-BREACH STATE.” thing the attacker does is bound to leave a fectively been sent back to square one. Not
trail of evidence behind them. And while a a great feeling for the attacker. And a huge
compromised system may not be able to tell win for the defender.
you when it’s “owned”, there’s a chance that This is, in our opinion, the best approach
it logs some evidence. That evidence can to cyber defense. Let’s delve into how we
FROM A DEFENDER’S DILEMMA TO AN be used to spot the intruder, or even travel achieve that goal.
INTRUDER’S IMPASSE
Cyber threats are asymmetric in nature. An control traffic. It’s almost impossible to de-
attacker only needs to succeed once to gain tect modern attack techniques simply by
access to a network. Defenders must suc- analyzing network traffic. In fact, there are
ceed one hundred percent of the time if too many ways for an attacker to hide. All of
they want to keep them out. You can’t rely these techniques fly under the radar of tra-
on being successful all the time. ditional perimeter defenses such as firewalls,
endpoint protection, and spam filtering. t Pre
dic
And yet this is what most companies are
doing. Traditional perimeter defense tech- In most cases, once a company has been “HIRING AND RETAINING CYBER SECURITY EXPERTS IS
Pre
ve
nologies, such as firewalls and endpoint breached, adversaries are able to act with NOT EASY. IT IS ESTIMATED THAT, RIGHT NOW, THERE
nt
protection software do a good job at what impunity for as long as they wish. It’s not un- ARE AT LEAST TWO CYBER SECURITY JOBS FOR EVERY
they’re meant to do - namely detecting common for a company to find out they’ve
nd
ONE PERSON WORKING IN THE FIELD. AND THIS PROB-
and blocking real-world and commodity been compromised from a third party (such
De
LEM IS EXPECTED TO BECOME EVEN MORE ACUTE IN
po
threats. But you can’t expect these solutions as a CERT organization). In our experience te
to stop advanced adversaries. Any adversary in the field, on average the time between
THE FUTURE.” Res ct
worth their salt will craft an attack designed a breach happening and being discovered
to bypass those defenses. And they won’t is 100 days. Think about that - it takes the
even need to use malware to gain a foot-
hold in the organization (contrary to what
majority of organizations months or even
years to figure out they have been hacked. WHAT IS RDS?
you might have been told, skilled attackers Any organization not running a breach de- F-Secure Rapid Detection & Response Ser- build a product or rely solely on artificial
rarely, if ever, use malware). tection solution (or not having performed a vice (RDS) is a managed breach detection intelligence, it was to provide both systems
Cyber attacks commonly follow the same recent investigation) must, in this day and and response service. What we mean by and expertise directly to our customers.
pattern. Attackers start by breaching the pe- age, assume they’re in a post-breach state. “managed” is that there’s a minimal instal- Hiring and retaining cyber security experts
rimeter of an organization with spear-phish- Breaches are becoming more and more lation process on your side to get things up is not easy. It is estimated that, right now,
ing, watering hole, or man-in-the-middle commonplace. And this is because adver- and running, and after that, everything from there are at least two cyber security jobs
attacks. Sometimes attackers may gain en- saries know that their targets have no idea breach detection to response is handled by for every one person working in the field.
try by exploiting a vulnerability in a pub- they’re being hacked. For many attackers, us. And this problem is expected to become
lic-facing system, or even by purchasing compromising systems is just as easy as a We decided to take the managed service even more acute in the future. The only way
access to an already compromised system. burglar walking into a house with the front route after seeing the difficulties other com- you’re going to get valid data from an in-
Once inside the perimeter, adversaries per- door left wide open. panies had in building their own breach de- house IDS is by having experts on staff. The
form reconnaissance, elevate privileges (by But here’s something interesting - adversar- tection and response capabilities. same goes for keeping up on threat intelli-
exploiting misconfigured or vulnerable sys- ies actually hate the idea of getting caught. Of all the challenges that organizations face gence, configuring systems, red teaming,
tems), hunt for domain admin passwords And they hate operating in an environment while building breach detection and re- and responding to incidents correctly. So,
(using memory-scraping tools such as Mim- where there’s a chance they’re being mon- sponse capabilities, nothing really compares you’re probably going to need more than
ikatz), and move laterally onto interesting itored. That’s why most good attackers will to the difficulty they face when trying to hire one or two experts on your payroll.
systems. They’ll often establish persistence exercise caution. Once inside a victim’s net- and retain good cyber security expertise. RDS doesn’t just provide human expertise,
using off-the-shelf RATs such as Orcus, Li- work, a professional intruder will tread light- We’re lucky here at F-Secure - our line of though. It’s a service that’s built on top of
temanager, or luminocityLink. They’ll then ly, while constantly being on the lookout for work ensures that we already have plenty of threat intelligence, sample analysis, and
exfiltrate data using subtle methods de- signs that they’ve been detected. in-house cyber security experts. We’ve been decision-making systems that have been
signed to mimic regular user behavior. working with threats and building automa- developed in-house for over a decade. And
Attackers know that a good defender won’t
Most of the tools an attacker needs are built react to signs of an intrusion in a panic – tion for decades. And we know how difficult while an organization could eventually de-
into the operating system itself. And attack- they’ll watch the intruder, gather intel, and it is to get things right. We realized that the velop their own in-house systems and ex-
ers are adept at hiding from network-based then act on the situation when they’re good best way to provide an unequalled breach pertise to the levels we’ve reached, it would
IDS systems by hiding the command and and ready. As a defender, successful detec- detection and response service was not to take them a very long time.12 F-Secure Rapid Detection & Response Service F-Secure Rapid Detection & Response Service 13
OUR EXPERTS AT YOUR
SERVICE 24/7
At the core of RDS is our Rapid Detection & Response Center, which
is the base of operations for all of our detection and response ser-
vices. At RDC, cyber security experts work on a 24/7 basis, where
they hunt for threats, monitor data and alerts from our customer’s
environments, flag anomalies and signs of a breach, and then work
with our customers to respond to real incidents as they take place.
RDC staff have access to our own in-house, world-class analytical
tools, all of our threat intelligence data, and a wealth of information
and knowledge from both our Cyber Security Services and F-Secure
Labs organizations. In fact, all of these teams work closely in coop-
eration with each other.
Staff at our Rapid Detection & Response Center are trained to handle
a variety of tasks. Their main tasks fall into roughly three different
roles - threat hunters, incident responders, and forensics experts.
Threat hunters
Threat hunters are our first responders. They monitor the service
and hunt for threats. When a threat hunter discovers something
suspicious, evidence is collected to verify the incident. If a real inci-
dent is discovered, it is given a priority. High-priority alerts are gen-
erated when there’s a strong indication of an ongoing breach, and
in these cases, the customer is immediately contacted by phone.
For non-critical cases, guidance is sent to the customer by email.
Threat hunter also keep the customer up to date on any ongoing
investigations.
Incident responders
Incident responders are assigned complex cases that customers
are unable to handle on their own, and are usually sent out to assist
the customer on-site. Incident response personnel can assist with a
range of technical and non-technical response activities, depending
on your needs. We are also familiar with collecting evidence for law
enforcement purposes, should it be required.
Forensics experts
Forensics experts are specialists tasked with the most difficult of
cases. We’re one of the few organizations globally who can handle
a very wide range of forensic tasks, ranging from internal network
triage to deep reverse engineering of unique malware samples. This
allows us to handle even the most complicated nation-state origi-
nated attacks.14 F-Secure Rapid Detection & Response Service F-Secure Rapid Detection & Response Service 15
Building in-house breach detection
FROM DIY TO ROI and response capabilities is difficult
Because expertise, monitoring, threat hunting, and our staff at RDC, where 15 real threats were discovered We’ve noticed that, for most organizations,
response capabilities are covered by RDC, once you’ve (and verified by the customer). setting up in-house breach detection and
decided to implement RDS in your organization, all response capabilities tends to be a com-
The thing is, if you go with your own IDS/SIEM solution,
you need to do is install simple sensors and devices on plicated, time-consuming, and expensive
it’s your organization that will need to process those
endeavor. There are multiple components
your network. The time from initial deployment and
configuration to actual breach detection and response
capabilities is less than a week. In fact, we’ve been told
900,000 events. And that’s why we’ve gone to countless
customer sites and found threats on their network, de- 15 that need deploying and configuring. All of
them are expensive, so purchasing decisions
spite those customers already running very well-known Real take time and research. Different compo-
by several customers that we have the easiest system IDS solutions. Combing through the noise and false pos-
they’ve ever worked with.
Threats nents may or may not interoperate well, so
itives is difficult, and can cause fatigue in even the most
The alternative to deploying a managed breach detec- diligent of analysts.
Confirmed by you have to figure that out, too. Then you
tion and response service is a lengthy (in most cases In order to process this volume of events, you also need
the customer need to select threat intelligence feeds, and
there are dozens if not hundreds of those
3-5 years) and expensive (multi-million Euro) project reliable, up-to-date threat intelligence. At F-Secure, we available. Deploying and configuring these
of purchasing, deploying, and configuring dedicated have our own in-house sources. And after over 25 years systems is a complicated job. And at the end
systems, and hiring and training a sizeable staff. But RDS in the business, we also have a massive historical sample of all this, you’ll be left wondering if you’ve
isn’t just about a fast return on investment. We’ve seen collection that even gives us the ability to find relevant got everything covered and whether or not
many companies go to the trouble of building a SOC and threats left undiscovered from currently active threat all the pieces are talking to each other prop-
setting up IDS and SIEM, only to still not catch threats.
This is because, in our experience, finding actual threats
actors. Our researchers do both threat intelligence in-
vestigations and reverse engineering. This gives us both
25 erly. And that’s just the initial install. After
that, systems, rules, and feeds need to be
is like finding a needle in a haystack. high-level knowledge of the global threat landscape Detections
constantly improved and modified as the
To illustrate with a recent real-world example, in a and in-depth technical knowledge of the threats them- RDC threat hunters world changes.
1300-node customer installation, our sensors collect- selves. Instead of studying each threat independently, confirmed anomalies Responding to a breach is usually also a
ed around 2,000,000,000 events over a period of one we identify relationships between threats, allowing us to and contacted lengthy and expensive process that requires
month. Raw data analysis in our back end systems fil- understand the capabilities and motives of an adversary.
tered that number down to 900,000. Our detection We focus on the puzzle and not just on the individual
customer expert data forensics and incident response
work. A typical response scenario includes
mechanisms and data analytics then narrowed that pieces.
removing the adversary from the network,
number to 25. Finally, those 25 events were analyzed by
cleaning up or restoring affected systems,
resetting compromised accounts, deter-
mining where the intruder has been, and
900 000 determining what the intruder has done.
Most companies don’t have the in-house
Suspicious Events expertise or capabilities to perform these
Threat Intelligence After RDS engine analysis types of activities, and so must call on a third
party to help.
1+ M€ of the raw data
Internal network IDS
EDR
1+ M€ Detection & Response IR
Integrating your own systems
Situational Soc
By the way, for organizations that have
1+ M€ awareness SIEM
2 billion already invested in infrastructure such as
SOC, SIEM, or IDS, our Rapid Detection &
Response Service provides an additional
data events / month
Endpoint Collected by ~1300 layer of security that easily integrates into
Preventive protection &
firewalls
end-point sensors
(via processes and APIs) and enhances any
existing ecosystem. We have a REST API for
detections and sensors, and we’re building
in more capabilities all the time. We also
use a standard ticketing system that inte-
grates easily into existing customer support
0 3-5
years processes.16 F-Secure Rapid Detection & Response Service F-Secure Rapid Detection & Response Service 17
‘’THE WEEKLY REPORTS FROM RAPID DETECTION &
RESPONSE CENTER HAVE BEEN PROVIDING ME WITH Endpoint Sensor Network and Decoy Sensors
GREAT COVERAGE OF THE LATEST SECURITY EVENTS. F-Secure’s Endpoint Sensors are light- Network and Decoy Sensors are de-
EVEN BETTER, I HAVE FOUND IT INTERESTING TO READ! weight, discreet monitoring tools de- signed to be deployed across your
I HAVE ALSO BEEN IMPRESSED BY THE RESPONSIVENESS signed to be deployed on all relevant organization’s network segments.
OF RAPID DETECTION & RESPONSE CENTER. ‘’ Windows, MacOS, and Linux comput- Network Sensors analyze all con-
Jukka Vallisto ers within your organization. Sensors nection attempts to and from your
IT Specialist are custom-configured for each or- organization’s network, and record
Amnesty International Finland
ganization and are easily deployed selected network traffic, and analyze
using standard IT remote administra- files that arrive on the systems. Data
tion tools. These components collect sent over the network reveals signs
DETECTION AND DECEPTION behavioral data from endpoint de-
vices using well-documented mech-
of potentially suspicious activity that
otherwise would not be seen.
RDS was designed from the ground up to When a breach is discovered, having ac- anisms, and are specifically designed Decoy Sensors are honeypots work-
detect even the most skilled attackers using cess to historical data is the key to building to withstand attacks from adversaries ing as an effective, low-noise meth-
non-malware techniques, and to respond to a detailed post-breach event timeline. Since (we can detect tampering attempts od of identifying post-breach activity.
those threats within a thirty-minute time- adversaries almost invariably wipe data to against these components). Since Attackers typically perform a recon
frame. This thirty minutes includes initial cover their tracks during an attack, having they’re just data collectors, they re- phase once they’ve gained access to
investigation, false-positive filtering, and access to data that is stored off-premises quire very little maintenance. a network (In order to identify easy
prioritization. The goal is always to provide means having a pretty much guaranteed Through a process of data normal- targets for lateral movement, per-
the customer with actionable guidance as tamper-proof source of evidence for inci- ization, we’ve managed to limit the sistence, and privilege escalation).
part of the alert. Unlike many other solu- dent response and forensic investigators. amount of data upstreamed by each Network Decoy Sensors are designed
tions on the market, our customers always In the event of an incident, F-Secure Rapid sensor to a few megabytes per day. to catch the scans associated with this
gain the ability to start incident response Detection & Response Service helps the cus- Sensors have a low impact on perfor- sort of reconnaissance and provide
activities as soon as an anomaly is detected. tomer preserve any evidence that is essen- mance and bandwidth utilization. By easy targets for the attacker to focus
tial in subsequent incident response actions. collecting such a small amount of data on.
How do we achieve this?
RDS is also designed to look for the exis- per day, we are able to save historical Any action the attacker performs
We utilize a “detection and deception” ap- tence of newly discovered threats in his- data for longer periods of time.
proach that uses a combination of endpoint on the active decoy is automatically
torical data. Retrospective threat hunting Note that endpoint sensors are also detected and logged by our service.
sensors and honeypots. Here’s how it works: is achieved when new detection algorithms designed to function in Payment Furthermore, honeypots keep the ad-
The process starts when a sensor is installed are run against historical data collected from Card Industry Data Security Standard versary busy, reveal the tools they’re
in your network and starts looking for signs each of our customers. This mechanism is (PCI-DSS) compliant environments. using, and allow us to build a detailed
of compromise. Sensors collect and com- especially useful when dealing with attacks Our sensors don’t collect the sort of base of forensic evidence, while the
municate events to our backend systems. from more advanced adversaries (that may information that might jeopardize attack is in progress. We can actual-
This data is processed and matched against have gone hidden for some time). card-holder data, data is only ever re- ly observe adversaries “living off the
threat intelligence sources using user and RDS can be deployed during ongoing inci- layed in one direction (from the end- land” by monitoring these environ-
entity behavioral analytics. Staff at our Rapid dent response work, and is used as a threat point to the back end), and it’s not ments.
Detection & Response Center receive ac- hunting service that can quickly gain visi- possible for human operators to di-
tionable alerts that make it through this au- Decoy Sensors emulate popular ser-
bility into a network that has already been rectly interact with the sensors them- vices including SSH, HTTP, and SMB,
tomation. breached. selves. and are designed to mimic Windows
Between the moment an RDC hunter re- Finally, RDS continues to work outside of servers, workstations, file server, and
ceives an alert and the moment a customer the corporate network. In a world where even VOIP servers. All connection at-
is called, the hunter verifies the alert, de- the classical security perimeter is crumbling, tempts to and from network sensors
cides on a priority, and determines what traditional IDS approaches have become are recorded, and any files that ar-
has occurred. Remediation steps are also ineffective (since they typically only work on rive on the systems are analyzed by
formulated during this time. We then call the edge of the network). These traditional F-Secure.
the customer and advise them on how to approaches cannot track threats when de-
respond to the situation. vices are outside of the corporate network,
Response actions are determined by the or when people utilize cloud-based services.
type of incident encountered. In the easiest Our endpoint sensor approach solves this Reporting
of cases, one of our hunters can provide suf- problem rather effectively. What’s more, You will be alerted whenever a real threat is flagged. With a dashboard you can stay on
ficient instructions over the phone. In more we’ve been working on extending RDS ca- top of all alerts reported as suspected attacks. Actionable guidance provided by our
complex cases, we may need to send inci- pabilities into cloud services, such as Sales- service helps you respond promptly whenever under an attack, and the service helps
dent responders over to help. In the future, force. you manage the verification process regarding less critical detections. The dashboard
we expect to be able to automate more and also provides continuous visibility into all installed sensors and hosts.
more response activities.18 F-Secure Rapid Detection & Response Service F-Secure Rapid Detection & Response Service 19
Privacy policy
All data collected from customer deployments is sent through
secure, encrypted channels and stored on controlled, secured
servers. Access to data is carefully restricted to authorized users
and for authorized purposes only. All data is physically stored in
Europe. We respect our users’ privacy and our customers’ need
to protect sensitive data and corporate secrets. Data collected
from one customer is never shared with other customers. You
can find more information in our privacy and confidentiality pol-
icies, especially with regards to data handling.
THREAT HUNTING AND DATA SCIENCE
Unlike the traditional approach of creating updates – all the logic is in our backend sys-
and applying a set of detections based on tems.
known “bad” behavior, we run actual at- Our analytics systems perform a number of
tacks against our systems and train them on tasks, from analyzing and learning behav-
what “good” behavior looks like. We then iors in monitored environments to reducing
flag everything else for further analysis and false positives. Different analysis techniques
false-positive filtering. This, we believe, is are better suited for different tasks. For in-
the approach that most other breach detec- stance, an expert system is best suited to
tion vendors will also settle on in the future. find the sort of behavior caused by com-
Threat-hunting systems need to be able mon attack tools and by the TTPs employed
to adapt to changes quickly. Everything in by cyber criminals. These include Power-
a monitored environment is in flux. Peo- Shell commands and malicious URLs and IP
ple and devices come and go. Operating addresses. Machine learning systems are
systems and software get patched. New designed to spot previously unknown bad
threats and TTPs emerge. Due to the nature behavior, such as DHCP hijacks, spoofing,
of this flux, traditional IDS solutions tend to and other stealthy evasion tactics. We also
be “noisy” and prone to false alarms. These utilize different multi-level combinations
same traditional solutions are also always of expert systems, statistical analytics, and
one step behind the threat landscape. machine learning.
In order to tackle this problem, our data We’ve found that simple statistical analytics
scientists, working alongside the experts are best suited for eliminating false posi-
at RDC, have designed and built a series of tives, and by applying these methods, we
backend statistical analysis, machine learn- currently eliminate approximately 80% of all
ing, and expert systems to support our irrelevant alerts. The way we’ve built these
threat hunters. You may have noticed oth- systems and the way they interact with each
ers in the industry referring to this approach other is quite unique, and something we’ve
as “Artificial Intelligence”. The core of the not seen elsewhere in the industry.
RDS backend is very simple, and all of the This combination of artificial intelligence
complexity is embedded in surrounding al- and cyber security specialists is about the
gorithms. This approach enables very fast most efficient and accurate configuration
deployment times for new detection algo- we could come up with for working with the
rithms (in minutes) and allows us to adapt to event data we receive. And it allows us to
changes quickly. With RDS in place, there’s spot attacks before they have a chance to
never a need to wait for the systems de- do damage or access business-critical data.
ployed on your own premises to receive20 F-Secure Rapid Detection & Response Service F-Secure Rapid Detection & Response Service 21
RED TEAMING SUMMARY
RDS capabilities are primarily developed us- cess in action, which is a nice way to practice As we see it, today’s cyber security situation systems, accounts, and access controls will
ing an iterative, red teaming approach. In for a real incident. can be summarized in the following few bul- be automatically remediated.
short, we have our guys attack systems, fig- On the subject of red teaming, we’ve chal- let-points: For now, though, if you are concerned about
ure out what RDS didn’t catch, and make im- lenged third parties to bypass RDS, but none whether you’re being hacked (and we think
provements. Some improvements are made have managed to do so yet. But there’s • Most organizations simply don’t you probably should be), we highly recom-
by hand. Others are learned by our backend more. There are at least seventy companies know if they’ve been breached or mend talking to us about RDS. Because we
systems during the red teaming exercises. out there that claim they can detect and not. think a managed solution is the way to go.
As part of this process, we document and vi- remediate any targeted attack. In our expe- And here’s why:
sualize the various attack chains used, which • Static defenses aren’t even close
rience, there are very few that actually can. to being 100% successful against
allows the red teamers to come up with new, How do we know? Well, so far, we have a
more devious attack methods. attackers. • You’ll have full detection and re-
flawless success rate on corporate exposure sponse capabilities up and run-
Our first recommendation to customers assignments (where a customer ordered • Attackers are overly cautious
about being caught. ning within days of initiating de-
who have just purchased RDS is to bring in a targeted attack from us). In every single ployment.
a third party and run a red team exercise case, we successfully breached organiza- • Building good breach detection
against our service. Not only does it help tions running our competitors’ products. and response capabilities is diffi- • You won’t need to hire your own
them verify that everything has been cor- And none of those products detected our cult. cyber security experts, build your
rectly set up, it allows them to see the pro- attacks. We’re not going to name any names. • Red teaming is the only way to own systems, or run your own
properly test your defenses. response operations – we’ve got
that covered.
• We promise to contact you within
What we’ve seen happening over the last thirty minutes of spotting any real
few years reflects a new reality. And right incident on your network.
now, building detection and response ca-
pabilities is a complex task involving many
separate components and moving parts. If you’re interested in reading more, we’ve
And a lot of manual work. got a three-part ebook series that starts with
We expect that down the road, the com- a detailed explanation of a real breach case,
ponents and technologies designed to de- explains how companies are going about
tect and stop cyber attacks will be pieced building their own breach detection and
together to create self-adapting automat- response capabilities, and concludes with
ed systems that are able to learn from any our tips on implementing breach detection
new stimuli they encounter. Such systems and response capabilities. We also have nu-
will automatically run network discovery, merous blog posts on subjects including
vulnerability assessments, patching, and cyber crime, detection and response, and
perform post-breach response and reme- detailed explanations of the technologies
diation activities. When intrusion or post- and processes that F-Secure uses. Finally,
breach TTPs are discovered, these systems we published State of Cyber Security 2017
will automatically reconfigure to prevent which includes more stories and case stud-
that mechanism from being used in the fu- ies from the field. All of these can be found
ture. And in the event of a breach, affected from F-Secure’s website.22 F-Secure Rapid Detection & Response Service F-Secure Rapid Detection & Response Service 23
FROM THREAT TO RESPONSE -
HOW RAPID DETECTION &
RESPONSE SERVICE WORKS
F-SECURE
RAPID
DETECTION
Attacker
& RESPONSE
SERVICE
Your Organization
Endpoint Network and
Sensors Decoy Sensors
Action
CISO
PR Marketing Finance
Events
Detection and forensics platform
Cyber WATCHING OVER YOUR Max
Security
Experts ENVIRONMENT 365/24/7
30
Minutes
Real-time Big data Reputational
behaviour analytics analytics
Max 30 FROM DETECTION analysis
minutes TO RESPONSE *
!
€
Anomalies
Immediate AS A TURNKEY
Return On MANAGED SERVICE
Investment Rapid detection & Response center
Alert
Threat Incident Forensic
hunters responders experts
* Our Service Level Agreement guarantees that no
more than 30 minutes will elapse between detecting F-Secure
a real threat and communicating it with the customer.We see things
others don’t
About F-Secure
Nobody knows cyber security like F-Secure. For three decades, F-Secure
has driven innovations in cyber security, defending tens of thousands
of companies and millions of people. With unsurpassed experience in
endpoint protection as well as detection and response, F-Secure shields
enterprises and consumers against everything from advanced cyber at-
tacks and data breaches to widespread ransomware infections. F-Secure’s
sophisticated technology combines the power of machine learning with
the human expertise of its world-renowned security labs for a singular
approach called Live Security. F-Secure’s security experts have partici-
pated in more European cyber crime scene investigations than any other
company in the market, and its products are sold all over the world by
over 200 broadband and mobile operators and thousands of resellers.
Founded in 1988, F-Secure is listed on the NASDAQ OMX Helsinki Ltd.You can also read
