chris haley - understanding attackers' use of covert communications
TRANSCRIPT
© Vectra Networks | www.vectranetworks.com
The Use of Covert Communications in Modern Cyber Attacks
@vectra_networks
CHRIS HALEY
SECURITY [email protected]
© Vectra Networks | www.vectranetworks.com 2
Fundamental aspect of targeted attacks• “Low and slow” doesn’t exist without hidden
coms• Command and Control• Exfiltration
Many ways to hide• Attacker controls both ends of connection• Any application, protocol, encryption is
available
Hidden Communications
© Vectra Networks | www.vectranetworks.com
Targeted Threats
Opportunistic Threats
A closer look at the phases of an active cyber attack
3
Internal Recon
LateralMovement
Acquire Data
BotnetMonetization
Standard C&C
ExfiltrateData
Custom C&C& RAT
Custom C&C
Initial Infection
© Vectra Networks | www.vectranetworks.com
Focus on hidden communications
4
Internal Recon
LateralMovement
Acquire Data
BotnetMonetization
Standard C&C
ExfiltrateData
Custom C&C& RAT
Custom C&C
Initial Infection
© Vectra Networks | www.vectranetworks.com 5
Targeted attackers don’t reuse C&C servers … typically
Use of Domain Generation Algorithms (DGA)
Protocols: DNS, IRC, HTTP, HTTPS
Dropbox, Google Drive, Gmail
Reuse = Getting Caught
© Vectra Networks | www.vectranetworks.com 6
Requirements for detecting covert communications
Look at behavior, not appearance• IP address, URL, protocol can change• Fundamental behavior will not
Direct access to traffic• To find what others miss, you must have
access to the real evidence, not summaries
Expect obfuscation• Hiding is the name of the game
© Vectra Networks | www.vectranetworks.com
Types of machine learning
Software analyzes local traffic to learn “normal” behaviors
Reveals anomalies that can only be learned in the target network
Requires time to learn
Analyze massive set of samples to find the behaviors common to all
Finds inherent behavior to provide detections with a long shelf-life
Fast, no local learning required
Supervised Learning Unsupervised Learning
© Vectra Networks | www.vectranetworks.com
Hiding within encryption
© Vectra Networks | www.vectranetworks.com 9
Threat hiding within encrypted traffic
More traffic is encrypted by default• Standard for cloud applications• Doubled last year in North America*
Decryption more difficult• Serious performance trade-offs• Increase in certificate pinning
makes decryption less reliable
Simple hiding place for attackers• Owns both sides of the connection• Standard SSL or custom scheme*Source: Sandvine Internet Phenomena Report
© Vectra Networks | www.vectranetworks.com
Poll Question #1Do you decrypt your network traffic for security inspection today?
A. Yes, all traffic is decryptedB. Some traffic is selectively decrypted by policyC. No traffic is decryptedD. I do not today but am planning to in the future
© Vectra Networks | www.vectranetworks.com
Summary of Vectra
While the individual man is an insoluble puzzle, in the aggregate he becomes a mathematical certainty
- Sherlock Holmes
© Vectra Networks | www.vectranetworks.com 12
Behavioral traffic analysis can find threats without decryption
Data science models applied directly to traffic reveals the underlying behavior• Communication cadence• Which side is in control of the
conversation?• Human or automated? Learn the distinctive
patterns of malicious traffic• Command-and-control
instructions• External remote access• Malware update, tunnels,
anonymizers, etc.
© Vectra Networks | www.vectranetworks.com
Hidden Tunnels
© Vectra Networks | www.vectranetworks.com
Hidden tunnels
What are hidden tunnels?• Techniques used by attackers to
hide their malicious communications within commonly allowed traffic and protocols
• Commonly seen in HTTP, HTTPS, DNS
• Example: Data or control messages embedded in optional fields of a packet
© Vectra Networks | www.vectranetworks.com
Types of hidden tunnels
Hidden messages embedded across many sessions• E.g. data embedded within DNS text field
• Difficult for signatures to detect as placement can constantly move
• Requires intelligence to the larger pattern of communication
Full tunnels over HTTP• e.g. Meterpreter tunnel over HTTPS
• Hard to detect as visibility may be constricted
• Requires in depth knowledge of protocol behavior
© Vectra Networks | www.vectranetworks.com
Recent Vectra study of hidden tunnels
Large-scale analysis of enterprise and government networks
Data science detects hidden tunnels in HTTP, HTTPS, and DNS without decryption
Attackers prefer the use of HTTPS
16
© Vectra Networks | www.vectranetworks.com
Hiding within allowed applications
© Vectra Networks | www.vectranetworks.com 18
Hiding within allowed applications
Recently observed malware using Gmail as an automated C&C
Used Microsoft COM to send Python commands directly through Internet Explorer
Drafts automatically synced to cloud, so C&C without mail ever being sent
© Vectra Networks | www.vectranetworks.com
Focus on what threats do, not what they are called
Trying to name all bad things only ensures that you are always behind• Near infinite supply of repackaged malware, IP
addresses, and URLs
Vectra uses machine learning to expose the true purpose and effect of traffic
Malicious behaviors are similar across platforms• Does it really matter if that port scanner is on
laptop or iPhone?
© Vectra Networks | www.vectranetworks.com
It’s what it does, not what it is
Command and control via Gmail• Trusted application, trusted URL, trusted IP,
allowed behavior
• No email ever sent
Communication behavior still looks like traditional botnet pulling behavior• Unique pattern of call and response
• Bot completes a task and asks for next instructions
© Vectra Networks | www.vectranetworks.com 21
© Vectra Networks | www.vectranetworks.com
Poll Question #2
Of the allowed applications in your network, which ones do think pose the greatest risk of a cyber attack?
A. Consumer cloud-based applications – Facebook, webmail, dropbox, etc.
B. Enterprise cloud-based applications – File shares, CRM tools.
C. On premise applications and data stores.D. IT and Admin tools.
© Vectra Networks | www.vectranetworks.com
External Remote Access
© Vectra Networks | www.vectranetworks.com 24
External Remote Access
Critical component of targeted attacks and breachesShift from pure malware to human control and intelligenceCan leverage malware or approved tools• RATs – Remote Access Tools• Administrative tools – RDP, VNC,
TeamViewer
© Vectra Networks | www.vectranetworks.com 25
External remote access case study: GlassRAT
Undetected for over 3 years• Discovered by RSA Security• Used a cert of a valid
software company in China• No AV coverage initially• Rare overlaps with C&C
servers used in nation-state attacks
Source: https://blogs.rsa.com/wp-content/uploads/2015/11/GlassRAT-final.pdf
© Vectra Networks | www.vectranetworks.com 26
External remote access case study: GlassRAT
Highly successful at avoid signaturesBehavior still looked exactly like a RAT• Similar to Netcat connected
to a command shell over TCP
© Vectra Networks | www.vectranetworks.com
Anonymization
© Vectra Networks | www.vectranetworks.com 28
TOR and Peer-to-Peer
Obscures the true source or destination of trafficEncrypted by defaultHeavily customized by attackers• Open-source TOR modified to
create TOR-like networks that don’t use known exit nodes
• P2P heavily used by malware to resist takedown attempts
© Vectra Networks | www.vectranetworks.com 29
Finding staged communications
Identify when traffic is bounced through internal hosts• Often used for exfiltration staging• Routing command-and-control through an unsecured device
© Vectra Networks | www.vectranetworks.com 30
IoT Devices
Difficult to secure• Typically easy to exploit• Very infrequent updates• Can’t support an end-point
agent
Valuable to attackers• Vectra ThreatLabs recently
turned a DLink webcam into a functioning backdoor
© Vectra Networks | www.vectranetworks.com 31
Summary
Hidden communications are the underlying enabler of modern attacksControl over both ends of a conversation gives attackers a variety of options for hidingSignatures are unsuited for finding these issuesBy focusing on the packet-level behavior, new detection models can reveal the malicious actions within trusted or opaque traffic.
Command & Control
Botnet Activity
Reconnaissance
Lateral Movement
Exfiltration
© Vectra Networks | www.vectranetworks.com© Vectra Networks | www.vectranetworks.com