early warning system for targeted attack using malware ...€¦ · targeted attacks require...
TRANSCRIPT
![Page 1: Early Warning System for Targeted Attack using Malware ...€¦ · Targeted Attacks Require Persistence 6/15/2016 (C) 2016 CYTHEREAL 9 Initial Compromise Establish Foothold Escalate](https://reader033.vdocuments.mx/reader033/viewer/2022060404/5f0ee20c7e708231d4416764/html5/thumbnails/1.jpg)
6/15/2016 (C) 2016 CYTHEREAL 1
Targeting Advanced Cyber Attacks
Early Warning System for
Targeted Attack
using Malware Intelligence
![Page 2: Early Warning System for Targeted Attack using Malware ...€¦ · Targeted Attacks Require Persistence 6/15/2016 (C) 2016 CYTHEREAL 9 Initial Compromise Establish Foothold Escalate](https://reader033.vdocuments.mx/reader033/viewer/2022060404/5f0ee20c7e708231d4416764/html5/thumbnails/2.jpg)
Speaker:
Dr. Arun Lakhotia
Professor of Computer Science
16 Years in Malware Research
Sponsored by:
US Department of Defense
DARPA, Air Force, Army
6/15/2016 (C) 2016 CYTHEREAL 2
Founder, CEO
Mission: Targeting Advanced Targeted Attacks
USP:
Automated Malware Analytics
![Page 3: Early Warning System for Targeted Attack using Malware ...€¦ · Targeted Attacks Require Persistence 6/15/2016 (C) 2016 CYTHEREAL 9 Initial Compromise Establish Foothold Escalate](https://reader033.vdocuments.mx/reader033/viewer/2022060404/5f0ee20c7e708231d4416764/html5/thumbnails/3.jpg)
My 15 minutes
2003-2007: CajunBot
6/15/2016 (C) 2016 CYTHEREAL 3
2003
2005
2007
![Page 4: Early Warning System for Targeted Attack using Malware ...€¦ · Targeted Attacks Require Persistence 6/15/2016 (C) 2016 CYTHEREAL 9 Initial Compromise Establish Foothold Escalate](https://reader033.vdocuments.mx/reader033/viewer/2022060404/5f0ee20c7e708231d4416764/html5/thumbnails/4.jpg)
My second 15 minutes
2010: Founded Lafayette
Holi
6/15/2016 (C) 2016 CYTHEREAL 4
![Page 5: Early Warning System for Targeted Attack using Malware ...€¦ · Targeted Attacks Require Persistence 6/15/2016 (C) 2016 CYTHEREAL 9 Initial Compromise Establish Foothold Escalate](https://reader033.vdocuments.mx/reader033/viewer/2022060404/5f0ee20c7e708231d4416764/html5/thumbnails/5.jpg)
Current Security
Industry Segmentation
6/15/2016 (C) 2016 CYTHEREAL 5
Prevent Breachusing
Indicators ofAttack
Detect Breachusing
Indicators ofCompromise
Corporate Boundary
EPP EDR
![Page 6: Early Warning System for Targeted Attack using Malware ...€¦ · Targeted Attacks Require Persistence 6/15/2016 (C) 2016 CYTHEREAL 9 Initial Compromise Establish Foothold Escalate](https://reader033.vdocuments.mx/reader033/viewer/2022060404/5f0ee20c7e708231d4416764/html5/thumbnails/6.jpg)
Quiz?
6/15/2016 (C) 2016 CYTHEREAL 6
Can we leverageIndicators of
Attackto PREDICT
potential breach?
Corporate Boundary
![Page 7: Early Warning System for Targeted Attack using Malware ...€¦ · Targeted Attacks Require Persistence 6/15/2016 (C) 2016 CYTHEREAL 9 Initial Compromise Establish Foothold Escalate](https://reader033.vdocuments.mx/reader033/viewer/2022060404/5f0ee20c7e708231d4416764/html5/thumbnails/7.jpg)
Hint
6/15/2016 (C) 2016 CYTHEREAL 7
Defender mustsucceed 99 times
Attacker onlyonce
Attacker mustTRY 99 times
before succeedingonce
MAXIM CORROLLARY
Corporate Boundary
![Page 8: Early Warning System for Targeted Attack using Malware ...€¦ · Targeted Attacks Require Persistence 6/15/2016 (C) 2016 CYTHEREAL 9 Initial Compromise Establish Foothold Escalate](https://reader033.vdocuments.mx/reader033/viewer/2022060404/5f0ee20c7e708231d4416764/html5/thumbnails/8.jpg)
Targeted Attacks are
multi-staged
6/15/2016 (C) 2016 CYTHEREAL 8
InitialCompromise
EstablishFoothold
EscalatePrivileges
MoveLaterally
StealData
Mandiant ™ Targeted Attack Cycle
![Page 9: Early Warning System for Targeted Attack using Malware ...€¦ · Targeted Attacks Require Persistence 6/15/2016 (C) 2016 CYTHEREAL 9 Initial Compromise Establish Foothold Escalate](https://reader033.vdocuments.mx/reader033/viewer/2022060404/5f0ee20c7e708231d4416764/html5/thumbnails/9.jpg)
Targeted Attacks
Require Persistence
6/15/2016 (C) 2016 CYTHEREAL 9
InitialCompromise
EstablishFoothold
EscalatePrivileges
MoveLaterally
StealData
Mandiant ™ Targeted Attack Cycle
Attacker must try, and try, and try
![Page 10: Early Warning System for Targeted Attack using Malware ...€¦ · Targeted Attacks Require Persistence 6/15/2016 (C) 2016 CYTHEREAL 9 Initial Compromise Establish Foothold Escalate](https://reader033.vdocuments.mx/reader033/viewer/2022060404/5f0ee20c7e708231d4416764/html5/thumbnails/10.jpg)
Question?
6/15/2016 (C) 2016 CYTHEREAL 10
InitialCompromise
EstablishFoothold
EscalatePrivileges
MoveLaterally
StealData
Mandiant ™ Targeted Attack Cycle
How can we detectpersistent attempts?
![Page 11: Early Warning System for Targeted Attack using Malware ...€¦ · Targeted Attacks Require Persistence 6/15/2016 (C) 2016 CYTHEREAL 9 Initial Compromise Establish Foothold Escalate](https://reader033.vdocuments.mx/reader033/viewer/2022060404/5f0ee20c7e708231d4416764/html5/thumbnails/11.jpg)
Malware (still) plays a
dominant role in data
breaches
6/15/2016 (C) 2016 CYTHEREAL 11
phishes delivered via
Verizon Data Breach Report 2016
72%
85% Include malware
![Page 12: Early Warning System for Targeted Attack using Malware ...€¦ · Targeted Attacks Require Persistence 6/15/2016 (C) 2016 CYTHEREAL 9 Initial Compromise Establish Foothold Escalate](https://reader033.vdocuments.mx/reader033/viewer/2022060404/5f0ee20c7e708231d4416764/html5/thumbnails/12.jpg)
Persistence involves
beating AV defenses
Inundate the system
With Machine Generated Variants
ENTERPRSE
6/15/2016 (C) 2016 CYTHEREAL 12
![Page 13: Early Warning System for Targeted Attack using Malware ...€¦ · Targeted Attacks Require Persistence 6/15/2016 (C) 2016 CYTHEREAL 9 Initial Compromise Establish Foothold Escalate](https://reader033.vdocuments.mx/reader033/viewer/2022060404/5f0ee20c7e708231d4416764/html5/thumbnails/13.jpg)
Current Limitation: Each
Malware is Independent
6/15/2016 (C) 2016 CYTHEREAL 13
Trojan.Win.5265
KeyLog.Win.HAB
BadThing.abac
No connection between them
![Page 14: Early Warning System for Targeted Attack using Malware ...€¦ · Targeted Attacks Require Persistence 6/15/2016 (C) 2016 CYTHEREAL 9 Initial Compromise Establish Foothold Escalate](https://reader033.vdocuments.mx/reader033/viewer/2022060404/5f0ee20c7e708231d4416764/html5/thumbnails/14.jpg)
Cythereal’s MAGIC:
Connect malware
6/15/2016 (C) 2016 CYTHEREAL 14
Connected using
shared “Genome”
Patent Pending
Research Sponsored by:DARPA Cyber Genome program
![Page 15: Early Warning System for Targeted Attack using Malware ...€¦ · Targeted Attacks Require Persistence 6/15/2016 (C) 2016 CYTHEREAL 9 Initial Compromise Establish Foothold Escalate](https://reader033.vdocuments.mx/reader033/viewer/2022060404/5f0ee20c7e708231d4416764/html5/thumbnails/15.jpg)
DEMOmagic.cythereal.com
6/15/2016 (C) 2016 CYTHEREAL 15
“Google”for Malware
![Page 16: Early Warning System for Targeted Attack using Malware ...€¦ · Targeted Attacks Require Persistence 6/15/2016 (C) 2016 CYTHEREAL 9 Initial Compromise Establish Foothold Escalate](https://reader033.vdocuments.mx/reader033/viewer/2022060404/5f0ee20c7e708231d4416764/html5/thumbnails/16.jpg)
Case Study: Discover
Stages of Attack
6/15/2016 (C) 2016 CYTHEREAL 16
Sep
DecJu
l
Au
g
Au
g
Oct
Jan
Feb
Adware Backdoor Keylogger
![Page 17: Early Warning System for Targeted Attack using Malware ...€¦ · Targeted Attacks Require Persistence 6/15/2016 (C) 2016 CYTHEREAL 9 Initial Compromise Establish Foothold Escalate](https://reader033.vdocuments.mx/reader033/viewer/2022060404/5f0ee20c7e708231d4416764/html5/thumbnails/17.jpg)
Cythereal’s Vision
6/15/2016 (C) 2016 CYTHEREAL 17
MAGIC Threat Intelligence Exchange
Hub: Global Intelligence
Indicators Exchanged: Malware Genome
Spokes: Local Intelligence
![Page 18: Early Warning System for Targeted Attack using Malware ...€¦ · Targeted Attacks Require Persistence 6/15/2016 (C) 2016 CYTHEREAL 9 Initial Compromise Establish Foothold Escalate](https://reader033.vdocuments.mx/reader033/viewer/2022060404/5f0ee20c7e708231d4416764/html5/thumbnails/18.jpg)
Cythereal’s MAGIC
18
Learn from Adversary’s Failures
Turn Anti-Virus into
an Intelligence
Gathering Tool
Connect Malware to Connect Attacks
6/15/2016 (C) 2016 CYTHEREAL
![Page 19: Early Warning System for Targeted Attack using Malware ...€¦ · Targeted Attacks Require Persistence 6/15/2016 (C) 2016 CYTHEREAL 9 Initial Compromise Establish Foothold Escalate](https://reader033.vdocuments.mx/reader033/viewer/2022060404/5f0ee20c7e708231d4416764/html5/thumbnails/19.jpg)
How can you get it?
19
Giving away
FIVE Free One Year Subscription
magic.cythereal.com
Register on:
6/15/2016 (C) 2016 CYTHEREAL