Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Huawei Cybersecurity Intelligence System Advanced Persistent Threats (APTs) are a kind of cyber attack and invasion, orchestrated by hackers targeting enterprises. An APT usually targets enterprises for motives such as data theft or financial gain. APTs are designed to gain access to an enterprise network, extract data, and continuously monitor the targeted computer system without being detected. In recent years, APT attacks have been a topic of much debate in the industry. The unique attack methods of APTs have made traditional security protection tools ineffective. A typical APT attack executes a continuous process, including resource reconnaissance, external penetration, command and control, internal transmission, and data forwarding. Once an enterprise is compromised, hackers can move laterally within the enterprise network and perform data harvesting and transferal. This can result in considerable financial and information losses for the enterprise. Huawei's Cybersecurity Intelligence System (CIS) defends against APT attacks by utilizing technologies such as big data analytics and machine learning. To guard key information assets, the CIS accurately identifies and defends against APT attacks. It can restore the kill chain of an APT by extracting key information from mass data, assessing risks in multiple dimensions, and correlating isolated anomalies based on big data analytics. Product Appearances Solution Highlights Comprehensive detection: Detection of events based on APT kill chains, correlating and combining threats Network-wide collaboration: Collaborating with security devices and endpoints to handle detected threats and sharing reputation in the cloud Network visualization: Real-time awareness of security posture, enabling search and source tracing of PBlevel data within seconds Solution Architecture Cloud services Global threat intelligence center Visualization Detection and analysis Threat detection Attack path visualization Threat report Security posture awareness System management Unknown files Data processing APT detection cloud service C&C anomalies Covert channels Traffic anomalies Mail anomalies Data pre-processing Distributed storage Distributed indexing Smart search Traffic metadata Sysog\Netflow logs Web anormalies File information Data collection Traffic collector Log collector Huawei sandbox Huawei next-generation devices Data Collection: The CIS provides services such as quick search, threat detection, and threat visualization by formatting-based pre-processing, storing different types of data in distributed mode, and creating indexes for key formatted data. This is made possible through flow probes collecting metadata from network-wide traffic, log collectors collecting logs from network security devices, and Huawei sandboxes sending files. CIS: The CIS conducts analysis based on a range of data sources: traffic metadata for C&C, covert tunnel, and mail detection; logs for log correlation analysis; and netflow for traffic anomaly analysis. File information is also referenced during mail and covert tunnel detection to help locate anomalies. The CIS performs all-around assessment on isolated anomaly events by cross-referencing related information about time, space, and IP addresses. In this way, the CIS restores a kill chain to help detect advanced threats. The CIS visualization layer displays kill chains, network security posture, and threat reports to show how the APT attack process comprises resource reconnaissance, external penetration, command and control, internal transmission, and data forwarding. The CIS then provides information such as network threat posture, attack paths, and high-risk assets. In this way, the CIS helps control network-wide threats in a timely manner. Cloud-based Services: After detecting advanced threats, the CIS can upload their information to the global threat intelligence center for information sharing on the whole network in real time. The Huawei APT detection cloud service enables customers without a local CIS to upload unknown files to the Cloud for detection. In addition, Huawei network security devices can block the advanced threats reported by the CIS in real time. Key Components Data collection Visualization Data processing Flow probe Extracts traffic metadata through mirroring or optical splitting and sends the metadata information to the CIS. The CIS then restores the traffic to files and submits them to a sandbox for file inspection. Log collector Collects syslogs and netflow data from key network devices and thirdparty SIEM systems to perform data collection and normalization. Security sandbox Restores the traffic mirrored from switches or traditional security devices into files and inspects the files transferred on the network in a virtual environment to detect unknown malicious files. Detection results in the form of logs and the original files are sent to the CIS to serve as penetration intelligence of an APT attack. Visualization node Visualizes and displays data such as threat posture, kill chains, advanced threat reports, configuration management, and smart search. Cluster controller Manages the cluster status of the detection and storage node and data dispatcher, and schedules resources for them. Data dispatcher Pre-processes the data reported by flow probes and collectors and forwards the data. Detection and storage node Controls unified data storage and distributed data indexing, and also detects threats based on distributed data processing and analysis. Key Values Comprehensive detection: Detection of events based on APT kill chains, correlating and combining threats Utilizing information provided by the big data platform, the CIS uses machine learning to check traffic in each attack phase on an APT kill chain, including penetration, stagnation, privilege acquisition, reconnaissance, and data transfer to detect file, mail, C&C, traffic, log, web, and covert tunnel anomalies based on detection models. The CIS then correlates the anomalies to detect advanced threats. Attack Behavior SysLog Steal an account to obtain the internal privilege. Sandboxdetected information Reconnaissance Collect data. Traffic metadata Data transfer Send data outside the internal network Intelligence Data transfer Privilege acquisition Netflow Privilege acquisition Reconnaissance Call back a C&C server to obtain a task. Stagnation Stagnation penetration Penetration Click a mail attachment and infect a virus. Kill Chain Correlation Threat Determination Single-Point Anomaly Detection Mail anomaly Recipient anomaly File IP High-risk attachment Unknown C&C IP reputation Endpoint external connection CC Account anomaly Scanning Brute-force cracking Baseline anomaly Asset collection Covert tunnel Covert tunnel Traffic anomaly Detection based on APT kill chains DNS Attack source Restores unknown files from HTTP, SMTP, POP3, IMAP, and FTP traffic. Then, the sandbox can inspect the restored files to detect threats and send detection results in logs to the CIS. The CIS performs mail and web anomaly detection based on file inspection results. File anomaly detection log File penetration kill chain Detects malicious or suspicious files in mail attachments and insecure URLs in mail bodies through SMTP, POP3, and IMAP traffic analysis conducted at the egress of the Internet based on sandbox file inspection results. Mail anomaly detection Mail anomaly detection Detects communication between infected internal hosts and external C&C hosts. The CIS analyzes DNS traffic at the Internet egress to detect abnormal connections initiated from the internal network to the outside. C&C anomaly detection C&C anomaly detection Traffic baseline anomaly detection Detects abnormal traffic exchanged between the internal network and the Internet, as well as those between internal networks. This function checks network access behavior based on the online-learned whitelist or user-defined traffic anomaly detection policies to identify unauthorized access, access frequency anomalies, and access path anomalies. Log correlation Extracts signatures from logs, builds log events in a unified format, and conducts cross-referencing and event flow logic analysis in accordance with predefined rules. Detects covert tunnels through which infected hosts in the internal network send Covert tunnel data to the Internet. Covert tunnel anomaly detection detects the transmission of detection unauthorized data by compromised hosts using normal protocols and tunnels. The detection methods include Ping Tunnel, DNS Tunnel, and file anti-evasion detection. The threats detected by the CIS can be categorized as either advanced or common threats. An advanced threat can initiate attacks in multiple attack phases, while a common threat initiates a single-point attack in a single attack phase. The system can display the attack path and impact scope in multiple dimensions, including threats, mails, and files. The attack path display in the threat dimension effectively demonstrates the multiple stages of an advanced threat, including external penetration, C&C, internal transmission, and data theft, and clearly shows external attack sources or C&C servers in different regions and compromised or affected hosts on the enterprise network. Kill chain correlation APT kill chain correlation Network-wide collaboration: Collaborating with security devices and endpoints to handle detected threats and sharing reputation in the cloud Collaborating with After detecting threat information, the CIS can interwork with Huawei NGFWs within security devices minutes to block attacking traffic. Collaborating The CIS can synchronize detection results with third-party endpoints, so that the endpoints endpoints detect and get rid of threats. The global threat intelligence center provides the reputation query service based on the threat information detected and uploaded by the CIS. In addition, the CIS can automatically Sharing on the or manually access the cloud reputation center to query IP address, domain, and file cloud reputation information based on customer requirements and performs advanced analysis based on such reputation information. The CIS provides a web page for you to query intelligence on the cloud for further investigation and analysis based on detected threats. Network visualization: Real-time awareness of security posture, enabling search and source tracing of PB-level data within seconds 1. Threat map: Clearly displays threats facing the enterprise network from all over the globe and the latest detected threat events on the threat map. This helps the O&M personnel to detect threats in a timely manner and predict network security trends. 2. Key region-focused stage mode: Displays CIS security posture. A province, city, district, or county can be specified on a stage and the rest part of the world around the stage to show attack posture aiming at the region on the stage. Global security posture awareness 3. Smart search: Conducts quick searches of events and traffic metadata using keywords, condition expressions, and time ranges to rapidly locate the threat and context data of interest to security O&M personnel. In addition, personnel can view detailed data trend statistics and search results, with 1 billion records being processed within 5 seconds. 4. Event investigation: Investigates events based on the kill chain and correlates traffic metadata with different attack stages. The metadata-related PCAP files are available for download under the traffic metadata search result list. Because these operations are performed on the same interface, security O&M personnel can efficiently collect and analyze information. Threat schedule Other functions: 1. Hierarchical big data platform architecture, module-based function combination, and open interfaces: Facilitate southbound threat log interconnection and northbound interconnection with third-party comprehensive security management systems. Application Scenarios 1. Information Security for Finance and Large Enterprises Global threat intelligence center Key Requirements APT detection cloud service 1. Detect threats. 2. Block APT attacks. 3. Display security posture. Internet Branch 1 Branch 2 Key Deployment Points: Flow probe + Collector Flow probe + Collector 1. D eploy flow probes at the Internet border and branch border, and configure policies as required. Flow probes can be optionally deployed at the intranet border. 2. D eploy the sandbox and CIS in the management area. 3. Deploy security devices, such as NGFWs and NGIPSs, at network borders. Flow probe 4. D eploy endpoint and server probes in the office Flow probe Log collector and core area. Sandbox Log collector 5. U se security devices, such as firewalls, to detect known threats. Use the flow probes, sandbox, and CIS to detect unknown threats. The CIS CIS E E E E Core area Management area E E interworks with firewalls to block APT attacks and displays network-wide security posture. Office 2. Security Posture Awareness Global threat intelligence center Security posture awareness CIS NAT source tracing log Diversion Injection Mirrored traffic Cleaning device Traffic attack detecting device (traffic detection) NAT source tracing system APT sandbox File inspection Interworking AntiDDoS AntiDDoS Detection log Security log Interworking Mirrored traffic DNS reply traffic Detection log IDS Application known threat detecting device (sample detection) DPI system Carrier network Solution Features: 1. K nown threat detection 1) Checks traffic to detect DDoS attacks and identify zombie hosts. 2) C hecks traffic to detect application-layer intrusion and identify network intrusion attack behavior. 3) Inspects files to detect malware and identify the transmission of malicious files. 2. Unknown and advanced threat detection 1) Checks traffic to detect unknown attacks and identify unknown infected hosts and zombie hosts. 2) Inspects files to detect unknown malicious files and identify the transmission of unknown malicious files. 3) C hecks traffic and files to detect APT penetration and covert tunnels. 3. Attack source tracing and forensics 1) T he big data platform stores protocol metadata, based on which advanced threats are investigated and analyzed. 2) Packets are captured from suspicious traffic, facilitating event confirmation, investigation, and analysis. 4. N etwork-wide security posture awareness Detects botnets, Trojan horses, worms, C&C, advanced threat attacks on the entire network as well as infected hosts in the internal network. Product Specifications Model CIS Functions Traffic collection Log collection Parses HTTP, DNS, and mail protocols, restores HTTP files and mail attachments, and captures packets based on packet capture rules. Collects syslogs from the ArcSight and FireHunter, and netflow logs from Huawei routers, Huawei switches, and flow probes. C&C anomaly detection Detects DGA and Fast-Flux domain names. Event correlation Provides predefined rules for logs and allows users to define correlation rules and analysis sub-rules. Traffic baseline anomaly Allows users to configure traffic control rules and supports vertical and horizontal detection scanning. Traffic anomaly Detects unauthorized access, threshold-exceeding traffic rates, and threshold- detection exceeding access frequency. Mail anomaly detection Analyzes mail sending servers, senders, and recipients, allows users to define the mail whitelist and blacklist, and detects mail attachments. Covert tunnel detection Detects Ping Tunnel, DNS Tunnel, and file evasion. Reputation Supports local IP reputation query, DNS reputation generation, and file reputation management query. Displays attack transmission paths, including attacks from the Internet to the Attack path visualization intranet, transmission within the intranet, and C&C connections from the intranet to the Internet. Network-wide threat posture Smart search Blacklist and whitelist management Analyzes threats, malicious and suspicious mails, malicious and suspicious files, targeted hosts, and malicious domain names; and displays correlated events and traffic anomaly events. Searches for data and drills search results. Manages the mail, URL, IP address, and domain name blacklists and whitelists. Node Server Specifications Node Server Type Server Configuration CPU: 2 x 10-core 2.3 G Memory: 64 GB Flow probe (high-spec) RH2288H V3 System disk: 2 x 300 GB SAS (RAID1 supported) Data disk: 6 x 1 TB SATA (RAID6 supported) Flow probe (low-spec) RH2288H V3 Description Collects traffic on the entire network and reports traffic metadata and netflow data to the CIS. Its performance is 10 Gbit/s. CPU: 1 x 10-core 2.3 G Collects traffic on the entire Memory: 32 GB network and reports traffic System disk: 2 x 1 TB SATA metadata and netflow data to (RAID1 supported) the CIS. Its performance is 0.5 Data disk: 1 TB SATA Gbit/s. CPU: 2 x 10-core 2.3 G Collector RH2288H V3 Memory: 64 GB Collects and normalizes logs. System disk: 2 x 300 GB SAS Its performance is 7000 EPS (RAID1 supported) for syslogs or 120,000 EPS for Data disk: 6 x 1 TB SATA netflow logs. (RAID6 supported) CPU: 2 x 12-core 2.3 G CIS big data backend service node RH2288H V3 Memory: 256 GB Data pre-processing, System disk: 2 x 600 GB SAS distributed storage, distributed (RAID1 supported) indexing, and threat detection Data disk: 23 x 1.2 TB SAS and analysis (RAID6 supported) CPU: 2 x 12-core 2.3 G Visualization management node RH2288H V3 Memory: 256 GB Kill chain display, report System disk: 2 x 600 GB SAS generation, security posture (RAID1 supported) awareness, and system Data disk: 23 x 1.2 TB SAS management (RAID6 supported) Dimensions, Power Supply, and Operating Environment Dimensions (H x W x D) Probe server: 43 mm x 436 mm x 708 mm (1 U) Backend service server, visualization management/probe server: 86.1 mm x 447 mm x 748 mm (2 U) Net weight with full configuration Weight Probe server: 20 kg Backend service server, visualized management/probe server: 30 kg Packaging material: 5 kg AC power supply DC power supply Maximum power consumption AC power input: 100 V to 240 V Compatible with 240 V HVDC input: 192 V to 288 V -75 V to -36 V; rated -48 V Probe server: 364 W Backend service server: 638 W Visualization management/probe server: 426 W Working temperature: 5°C to 45°C (41 F to 113 F) Ambient temperature Storage temperature: -40°C to +65°C (-40 F to +149 F) Temperature change: < 20°C (36 F) every hour Long-term storage temperature: 21°C to 27°C (69.8 F to 80.6 F) Working humidity: 8% RH to 90% RH (non-condensing) Ambient humidity Storage humidity: 5% RH to 95% RH (non-condensing) Humidity change: < 20% RH every hour Long-term storage humidity: 30% RH to 69% RH (non-condensing) Ordering Information External Model Software CISSOFTWARE-CD CIS Software CIS-PLATFORM CIS big data basic platform CIS-FAD Traffic anomaly detection CIS-CA Correlation analysis CIS-CCAD C&C anomaly detection CIS-HTD Covert tunnel anomaly detection CIS-MAD Mail anomaly detection CIS-ALV Attack path visualization CISEXPLIC Capacity expansion license Server SEC-SERVER-AC-03 Security product server AC configuration 03 (2 x 750 W AC, Rail) CIS service node servers, including the cluster controller, data dispatcher, detection and storage node servers CIS visualization node and collector with the capability to process 7000 EPS SEC-SERVER-AC-04 Security product server AC configuration or 120,000 FPS logs, or a probe server 04 (2 x 750 W AC, Rail) with the capability to process 10 Gbit/ s mixed traffic, or a flow probe with the capability to process 1 Gbit/s DNS traffic Low-end node, which is a probe server SEC-SERVER-AC-05 Security product server AC configuration that can process 0.5 Gbit/s traffic or a 05 (2 x 460 W AC, Rail) flow probe that can process 0.05 Gbit/s DNS traffic. Auxiliary Configuration G0MYSQL04 System Software,System Application Software,Light Application Data Management Software Package(5.6 E), 1 Year Standard Product Services, Paper License CIS-LNX-CD Linux Preinstall Software SC1GSUSE1101 Novell SuSE LINUX Enterprise Server 11,1 Year 7x24 Service About This Publication This publication is for reference only and does not constitute any commitments or guarantees. All trademarks, pictures, logos, and brands mentioned in this document are the property of Huawei Technologies Co., Ltd. or a third party. Copyright©2017 Huawei Technologies Co., Ltd. All rights reserved.