Survey
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Unix security wikipedia , lookup
Signals intelligence wikipedia , lookup
Information privacy law wikipedia , lookup
Mobile security wikipedia , lookup
Computer security wikipedia , lookup
Cracking of wireless networks wikipedia , lookup
Deep packet inspection wikipedia , lookup
Distributed firewall wikipedia , lookup
DRAFT DRAFT DRAFT Terremark Worldwide (NASDAQ:TMRK) is a provider of IT infrastructure services with datacenters in the United States, Europe and Latin America. These datacenters are networked from more than 160 global communication and internet carriers, allowing Terremark to deliver to its clients (government, enterprise and Web 2.0 customers) a comprehensive suite of managed IT solutions. These solutions including managed hosting, co-location, network and security services. Terremark Secure Information Services team (SiS) specializes in computer incident response and information security consulting services for complex, large-scale, globally dispersed enterprises. . Investigative Conclusions: Terremark Secure Information Services (SIS) was retained by QinetiQ North America (QNA) as an independent third party to examine Cyveillance’s (a wholly owned subsidiary of QNA) systems and networks to determine if Cyveillance had been or is currently compromised. If indicators of compromise were discovered, Terremark would support Cyveillance and QNA with a full-scale incident response. The strategic approach for the examination centered on network traffic evaluation to determine compromised hosts. Equipment sent to Cyveillance continuously was collecting and monitoring the network traffic, in fine-gain detail, by capturing the full details of each packet entering or leaving the Cyveillance network.. Terremark SiS began not only the monitoring and collecting of the network traffic but analysis of the packets captured starting on 22 July 2010 and completed on 10 August 2010. Traffic flows and the full packet captures have been preserved as evidence to support our investigative findings and conclusions. Based on the evidence collected and analyzed no hard factual data of Cyveillance being compromised of could be identified by either our “live” traffic monitoring or the our forensic review of the firewall logs Background and Investigative Summary: QNA was approached by several government agencies that had a concern that traffic seen coming from the Cyveillance network was indicative of a potential compromise. Subsequently Terremark was asked to provide an expert opinion in the form of an ‘intelligence risk assessment’ regarding the potential of a compromise at Cyveillance. If such a compromise was discovered than Terremark would not only respond to the incident but provide a detailed analysis on the threat, persistence mechanisms, and capabilities, commonly referred to in cyber security terms as an Advanced Persistent Threat (APT). QNA was given information by the government agencies, who then passed that information to Terremark. This technical information was a list of summarized network traffic and became the starting point for Terremark’s investigation. The government provided information list contained38 host representing the systems which the government was concerned might have been potentially compromised and communicating to unidentified internet hosts over a period of several months. The government inquiry list was used to search Cyveillance logs for matched records. All Terremark analysis was performed with a defined contextual consideration of needing to contrast systems, their functions, what the government provided list indicated against how Cyveillance interacts with malware, malicious sites, and as legitimate business objectives. In support of the independent investigation, Cyveillance supplied Terremark with network diagrams, description of services, assisted with onsite operational support (e.g. connecting the equipment to the appropriate networks). Cyveillance also provided access to a third party log aggregation service, SecureWorks. Terremark compared the Cyveillance firewall and Intrusion Detection logs (hosted at SecureWorks) with the government inquiry list to locate any matches as well as determine the following: No exact matches were found. Based on time only, a single IP address consistently matched the government list. However, none of the Cyveillance IP addresses matched. Based on other factors, the IP address appears to be legitimate traffic from authorized business processes and was provided to QNA for confirmation. Several advanced analysis techniques were used to reduce the massive amount of traffic data in a process known as ‘data reduction'. The ‘data reduction’ process removes as much of the legitimate traffic, in as large a group as possible, using time, size, and pattern matching. What remains after data reduction is usually suspect, however in the case of Cyveillance the number of external hosts after data reduction were still in the thousands. Terremark SiS went on to develop a set of criteria of what would be required for a largescale intrusion consisting of 28 or more compromised hosts and what would those indicators look like. These indicators allow for the creation of additional different data reduction techniques. Even with these additional steps, the government provided report shows only a limited amount of sanitized detail which makes an exact match exceedingly difficult. Even still some of the key data points that were continued to be examined were: Excessive internal to external communications. Traffic details indicating type, duration, and size. . After monitoring, collecting, reviewing historic firewall and IDS logs, no information, that we could identify, would explain the commonality or partial matching, except the government inquiry list has the right time but wrong IP addresses or simply coincidence. The matching IP addresses appear to be related to approved and authorized business process activity known as “crawling” and therefore most likely a false positive. However this finding requires additional confirmation that Terremark was unable to provide due to time constraints. This advanced analysis supports the live traffic analysis as well rudimentary firewall and IDS log review to again conclude no hard evidence of compromise was able to be determined within the time frame of the investigation. Only systems at Cyveillance that were compromised were the following: 1. Cyveillance annalist’s systems that are highly prone to malware exposure 2. other systems intended to be compromised for either malware analysis systems in the isolated Security Lab, which attempts to lure all threats including attacks consistent with an APT. In the absence of a detected large-scale threat and subsequent threat characterization, Terremark provided recommendations for QNA’s consideration, all of which have the goal of rapidly detecting suspect traffic and better network audits. The recommendations include additional tools and techniques for greater assurance through full packets captures and audit data known as ‘flow'. The use of such tools would endow Cyveillance with the ability to inspect traffic against any future claim of compromise.