Spice world 2014 hacker smackdown

Editor's Notes

• #2: Hello SpiceHeads! – my name is Garrett Gross and I’m the Senior technical product marketing manager here at AlienVault. Before that, I was a sales engineer at Solarwinds (you may have heard of them) and, before that a sysadmin at a storage software company. I’ve held many other IT positions as well - help desk, hardware repair, tech support, bounty hunter, etc. Most importantly, I’m very passionate about information security and, of course, bacon.   I’m very excited to be here at SpiceWorld. Its been a great show so far and I cant believe the response we’ve had! I’m also SUPER excited to be speaking to you today and really appreciate your time. There will be a Q&A at the end so make sure to stick around for that!     Let me tell you a bit about AlienVault.
• #3: Founded in 2007, AlienVault is the leading provider of Unified Security Management and crowd-sourced threat intelligence, headquartered in San Mateo, CA; with offices in Austin, TX; Madrid and Granada, Spain as well as Cork, Ireland.   You all probably know us from the AlienVault Threat Alerts in your SpiceWorks dashboard, alerting you to any monitored devices in your environment that are in contact with potentially malicious hosts. We’ve gotten a lot of GREAT feedback from the SpiceWorks community and are glad to hear that so many of you are using and enjoying this integration.   I’d like to take some time to talk to you about these Threat Alerts, how we get our data to identify these threats, and what to do when you receive an alert like this.   But first – lets talk about getting hacked…
• #4: Famously quoted back in 2007, James Routh (CISO for the Depository Trust Clearing Corporation) said: “There are two types of companies that use computers. Victims of crime that know they are victims of crime and victims of crime that don’t have a clue yet.”   We need to go about our day knowing that we will we get attacked. Not only will we get attacked, there is nothing we can do that will ever 100% prevent someone from compromising assets in our environments.
• #5: To quote one of the more talented individuals that I work with, Russ Spitler:   “In today’s modern world, technology alone is not enough to combat the threats that now face organizations of all types and sizes. With the integration of continuous threat intelligence updates from OTX and AlienVault Labs, we can now provide millions of Spiceworks users with insight into the threats that could impact their business, and the guidance they need to take preventative measures.”   And, he’s right – IT pros today need to understand that no amount of security controls will prevent attackers from compromising machines on the perimeter.   So, again – to best prepare for, and understand how to properly mitigate, attacks, we need to operate under the assumption that attackers will breach even the best of security measures. More information about what is going on in your environment from a security perspective will make dealing with these attacks much easier.   That’s where we come in…
• #6: Real quick, though - Here’s an agenda of what I’d like to cover today.   What is this SpiceWorks / AlienVault Integration? Where does the threat data come from? What should I do when I get an AlienVault alert in SpiceWorks? Introduction to AlienVault Unified Security Management platform, our commercial product. Demo with Mark Allen, systems engineer.
• #7: SpiceWorks/AlienVault integration   As I mentioned earlier (and as most of you here know), SpiceWorks comes with AlienVault Threat Alerts built-in (at no charge) as of version 7.1 (as you can see up here). There’s nothing additional you need to do to enable these alerts. With all these alerts coming in, SpiceWorlks users are quickly figuring out that there is a lot of communication coming in and out of their environment that they are not aware of.
• #8: This integration alerts you when one of your monitored devices is found communicating with a known threat, a host we have a record of in our Open Threat Exchange. This is what they look like in your SpiceWorks dashboard.
• #9: Clicking on “View Details of threat” then takes you to the Threat Details page where you will find more information about the potentially malicious host:
• #10: It will display the threat type (malware domain, command and control server, scanning host, etc), what domains might be associated with the host, any blacklists that the IP is on, when the threat was first and last seen, and how many alerts have been raised in SpiceWorks from this IP.
• #11: Scroll down the page and you get a description of what we think this threat is and how we recommend interacting (or not interacting) with it. Directly to the right, you can see how often this threat comes up in our findings to maybe give you an idea of how active of a threat this is. We’ll also display the download link, file type, and MD5 hash of known malicious payloads delivered by the host.
• #12: Lastly, we have some GREAT remediation advice that gives you an idea what to do once you know one of your machines has come in contact with a known bad actor. For instance – there are quick tips on how to isolate an infected host or quarantine a command and control server. We’ve actually tailored this advice depending on the direction of the communication (inbound, outbound, or bidirectional)
• #13: Our labs team works tirelessly to ensure that you are getting the most accurate data and quick enough to deal with current threats. However, even the most thorough analysis has a chance to produce false positives and we welcome your feedback. If you feel that the IP we have listed as a potential threat is not, in fact, malicious in nature, we would like you to let us know. In the top part of the Threat Details page, there is a link to flag the IP address for review. That will alert our labs team and the report will go under further review. They will then either provide additional detail substantiating the notion that the host is malicious or, in the case that it isn’t, purge the record from our database.   So – why the false positives?
• #14: IPs change. IPs can easily be assigned to a different server and/or owner.   Threats Get Remediated. In the case of compromised/slaved servers, system owners may respond to and remediate the threat.   And Threats Naturally Expire. Campaigns and targeted attacks end per orchestrator’s plans. Honestly, that’s the case more often than not these days. Multi-stage dynamic attacks tend to be the more prevalent attack where the same compromised hosts (C&C servers, botnets, rootkits) are rarely used again.   Also - some urls can just LOOK malicious. An example of that is one that came up recently. Microsoft is (or was) using CenturyLink (formerly Savvis Communications) to host some update content. Unfortunately,
• #15: ‘windows.update.nsatc.net’ could look a lot like
• #16: safe.happy.unicorns.malware.hackyou.com to some IP reputation scanners out there. Now – these entries are usually auto-purged or thrown out by our team by the time the data reaches us but this would be a great opportunity for one of you to flag the IP for review.
• #17: Where does this data come from?   Many of you are probably wondering where our IP reputation data comes from and the short answer is “from our Open Threat Exchange” or “OTX”. OTX is an open information sharing and analysis network, providing access to real-time, detailed information about threats around the world. It is also the same threat intelligence that powers our security platform, USM (which some of you here might be familiar with or even use today).   The Open Threat Exchange is an integrated approach to threat intelligence, comprised of data from 140+ countries and the independent research from our AlienVault Labs’ team. We analyze over 500,000 malware samples per day, updated every 30 minutes, converting this threat data into actionable intelligence. This allows you to call out truly significant events to help you prioritize your efforts and reduce the need for in-house expertise.
• #18: OTX derives its data from three primary sources: USM and OSSIM installations that enable OTX sharing, external feeds from public researchers and partners, as well as the research done by our AlienVault Labs team. This data is then run through a powerful discovery engine that is able to granularly analyze the nature of the threat, as well as a similarly powerful validation engine that continually curates the database and certifies the validity of those threats.   Crowd-sourced information remains the core focus of OTX, deriving information from normalized, anonymous event logs: firewalls, content filters, ips/ids logs, etc. We receive approximately 17,000 contributions daily from over 140+ countries. Just to be clear, though: OTX's information is anonymous. OTX does not analyze your data or do anything that would identify you or your activity. We are solely focused on analyzing the nature of the threat jeopardizing your system.   OTX receives a significant amount of data from the security community itself. We work with public research institutions, government organizations, and private companies and partners to share and analyze threat data.   AlienVault Labs’ research is also a critical part of our analysis. Our labs team generates novel research on high profile threats and is responsible for instrumenting the automatic analysis for discovering and certifying all threats coming from OTX partners, OSSIM and USM customers who opt in to share data. I want to point out that this is the integration point for our app within SpiceWorks, leveraging the cloud services capabilities within the application.   Simply tracking threats isn't enough. To properly architect a solid defense, you need context. OTX is able to use its powerful validation engine to provide introspection to not only whether a threat is valid, but also WHAT kind of threat it is.
• #19: I Want to emphasize how powerful this automated engine is: our engine can engage in code-level analysis to discover whether certain threats are part of an APT attack, deconstruct binaries to see whether a threat is a command and control server for a botnet, and even use the taxonomy of a known attack to see where malware is being stored versus where it simply pipes thru.   Data quality is key with OTX, and two big parts of our validation engine are its ability to score and analyze threats as well as continually certify the data. For scoring and validation, we confirm data with other sources to ensure we're not seeing false positives. This includes pruning known security researching hosts, as well as white-listed sources. Our engine also scores and uses feedback to gauge the potential danger associated with the threat.   Like I mentioned earlier: things change. Its very important to not only discover these threats but to continuously monitor for changes in activity. IPs often change ownership, threats get remediated, and threats naturally expire.
• #20: Thankfully, we try to reflect that in our data. Our engine ensures that our threat intelligence is fresh and relevant. Generally, data on a threat expires after 30 days unless new information shows it remains active. However, for specific types of threats these expiry rules may change…   As I mentioned earlier, the information that the Open Threat Exchange collects (should you choose to share your data with the OTX community) is anonymous. External IPs connecting to your system as well as traffic patterns (when these connections were made) are collected but specific system information, internal IP traffic, or any other personally identifiable information is not collected. Don’t worry, no one cares that you’re totally into My Little Pony anyway.   So – Back to Spiceworks. You’ve gotten an alert that one of your devices has been in contact with a potentially malicious host… What do you do?
• #21: What you don’t do is freak out. These alerts that pop up in your dashboard are not meant to cause panic or lead you to believe there has been a compromise. However, they are certainly important enough to pay attention to.   If you don’t have any go-to url reputation sites already (VirusTotal, totalhash, etc), just Google the IP. A word of caution, though – put the IP into the actual search field, not the “hybrid” navigation/search field. That’ll just take you to the potentially malicious host. Not like I’ve done that… earlier today…   Seriously, though – a Google search will usually return results from the top IP rep sites, including the one I mentioned. You might have to be creative with the search query but “<IP in question> malicious, analysis, virus, etc” should do the trick. Try to get information from as many sites as possible to either corroborate the alert and confirm the suspected malicious nature of the host or provide enough proof that this must be a false positive. If so, you can dismiss the alert but not before flagging the IP for our AlienVault Labs team to review.   At that point, you can use your new data to check your IDS logs, run thorough scans on potentially compromised devices, update authentication, even block certain IPs, re-image compromised machines, etc. if necessary. It would also be a smart idea to do an environment-wide AV/malware scan as soon as possible.
• #22: I imagine I would be hard pressed to find someone in this room that is not aware of any of the recent security breaches involving major retailers and service providers: Target (or is it ‘tar-zjhey’?), Home Depot, um…. iCloud??   These are HUGE corporations with seemingly endless budgets and inexhaustible resources that allow them to not only have the most expensive and elaborate security systems, but also a large and highly skilled team of people to run it all.   But how much importance is put on the security of the environments powering the midmarket?
• #23: Talk to slide… “50 percent of all data breaches occurred at companies with fewer than 1,000 employees and 31 percent with fewer than 100 employees. - Verizon 2014 Data Breach Investigations Report” The point I’m trying to make is that, while the big companies are getting the spotlight, it’s the smaller companies facing the greatest amount of threats. Most of these companies are fully networked with their environments exposed to the outside and some have no protection whatsoever. You know the old adage of ‘shooting fish in a barrel’?
• #24: Whats the answer? Buy disparate security controls to address an issue, most of the time AFTER it happens? Manage them autonomous from each other, maybe even have different individuals managing different types of security tech?   We all know that doesn’t work. It doesn’t work when monitoring your network , it doesn’t work when monitoring applications, and it doesn’t work when it comes to security either, especially if you’re a small to midsize shop.
• #25: I propose a different approach – AlienVault’s Unified Security Management platform, combining Asset Discovery, Vulnerability Assessment, Threat Detection, Behavioral Monitoring, and Security Intelligence. Combined with our Threat Intelligence, this unified set of security controls allows users to effectively monitor their infrastructure and keep up with the latest threats.
• #26: So – again – why do I need this in my environment?   Unified, Coordinated Security Monitoring in a single console Simple Security Event Management and Reporting Cutting edge, crowd-sourced threat intelligence from AlienVault Labs and Open Threat Exchange™ (OTX) SIEM, Network IDS, Host IDS, Wireless IDS, File Integrity Monitoring, Vulnerability Assessment and more. Full suite of compliance reporting Fast Deployment – Be up and running in 1 hour Designed and Priced for the Midmarket – Starts at $3600!
• #27: So – not only are we able to offer a comprehensive solution to those that have a tight budget, but also arm organizations that do not have a dedicated security team with expert-level threat intelligence. Think of our AlienVault Labs team as an extension of your own IT team.
• #28: Regular updates to USM from our labs team include:   Network-based IDS signatures Host-based IDS signatures Asset discovery and inventory database updates Vulnerability database updates Event correlation rules Report modules and templates Incident response templates / “how to” guidance for each alarm Plug-ins to accommodate new data sources   All influenced by the data collected in OTX
• #29: I want to stress here how we are not only giving you a software solution that is easy to set up and easy to use but also bolstering that with our open threat intelligence network and independent research from our AlienVault Labs team. Check out our sweet awards..
• #30: Lets see the product in action!!
• #31: Any questions?