extracting the malware signal from internet noise
TRANSCRIPT
![Page 1: Extracting the Malware Signal from Internet Noise](https://reader036.vdocuments.mx/reader036/viewer/2022081604/587d574f1a28abee158b5d99/html5/thumbnails/1.jpg)
Extracting the Malware Signal from Internet Noise
Andrew Morris, Researcher
1
![Page 2: Extracting the Malware Signal from Internet Noise](https://reader036.vdocuments.mx/reader036/viewer/2022081604/587d574f1a28abee158b5d99/html5/thumbnails/2.jpg)
# whoami• Andrew Morris
• Background in offense
• R&D @ Endgame
2
![Page 3: Extracting the Malware Signal from Internet Noise](https://reader036.vdocuments.mx/reader036/viewer/2022081604/587d574f1a28abee158b5d99/html5/thumbnails/3.jpg)
Tactical Insights from Global Trends• My network is being scanned/attacked
– Am I being targeted specifically?– Are other people seeing this as well?
• A vulnerability has been disclosed– Is anyone probing for this vulnerability?– Is anyone exploiting this vulnerability?
3
![Page 4: Extracting the Malware Signal from Internet Noise](https://reader036.vdocuments.mx/reader036/viewer/2022081604/587d574f1a28abee158b5d99/html5/thumbnails/4.jpg)
4
FaradayA Global Network of Sensors
Untargeted Malware
Geographically & Logically Dispersed
Omnidirectional Internet Traffic for Collection &
Analysis
If something is *not* in Faraday, it is likely targeted
![Page 5: Extracting the Malware Signal from Internet Noise](https://reader036.vdocuments.mx/reader036/viewer/2022081604/587d574f1a28abee158b5d99/html5/thumbnails/5.jpg)
CapabilitiesIptables HTTPTelnetFTPSSHStrategic Packet CaptureCustom sensors
5
![Page 6: Extracting the Malware Signal from Internet Noise](https://reader036.vdocuments.mx/reader036/viewer/2022081604/587d574f1a28abee158b5d99/html5/thumbnails/6.jpg)
Faraday Architecture
6
![Page 7: Extracting the Malware Signal from Internet Noise](https://reader036.vdocuments.mx/reader036/viewer/2022081604/587d574f1a28abee158b5d99/html5/thumbnails/7.jpg)
Four Kinds of Traffic on Your Network
The difference between these can be hundreds of thousands of $$ in incident response
Worm, Mass Exploit
Campaign
Regular Web User
Advanced Persistent
Threat
Search Engines (e.g.
Google)
Mal
iciou
sBe
nign
Omnidirectional Targeted
7
![Page 8: Extracting the Malware Signal from Internet Noise](https://reader036.vdocuments.mx/reader036/viewer/2022081604/587d574f1a28abee158b5d99/html5/thumbnails/8.jpg)
My Network is Being AttackedOmnidirectional Malicious
$ faraday --ip 123.123.123.123 | wc -l
42013
Targeted Malicious
$ faraday --ip 1.2.3.4| wc -l
0
8
![Page 9: Extracting the Malware Signal from Internet Noise](https://reader036.vdocuments.mx/reader036/viewer/2022081604/587d574f1a28abee158b5d99/html5/thumbnails/9.jpg)
A Vulnerability Has Been Disclosed• Is anyone probing for this vulnerability?• Is anyone massively exploiting this
vulnerability?
9
![Page 10: Extracting the Malware Signal from Internet Noise](https://reader036.vdocuments.mx/reader036/viewer/2022081604/587d574f1a28abee158b5d99/html5/thumbnails/10.jpg)
Cisco CVE-2016-1287Cisco ASA Software IKEv1
and IKEv2 Buffer Overflow Vulnerability
• Critical
• Disclosed Feb 10, 2016 • Affects all Cisco ASAs 8-Fe
b-16
9-Feb-16
10-Feb-16
0500
10001500200025003000
Faraday Port 500
Faraday Port 500
10
![Page 11: Extracting the Malware Signal from Internet Noise](https://reader036.vdocuments.mx/reader036/viewer/2022081604/587d574f1a28abee158b5d99/html5/thumbnails/11.jpg)
Cisco CVE-2016-1287The spike and diversity of IP addresses over time implies:
• People are not just probing, but actively targeting it
• Where they are coming from
• Who may have known about the vulnerability prior to public disclosure
• It is not (yet) being massively exploited11
![Page 12: Extracting the Malware Signal from Internet Noise](https://reader036.vdocuments.mx/reader036/viewer/2022081604/587d574f1a28abee158b5d99/html5/thumbnails/12.jpg)
Redis CVE-2015-4335• Remote code execution vulnerability
in Redis– Built and deployed a custom Redis
sensor less than 24 hours after the vulnerability was published
– Observed attacker behavior– Recorded attacker IP addresses
12
![Page 13: Extracting the Malware Signal from Internet Noise](https://reader036.vdocuments.mx/reader036/viewer/2022081604/587d574f1a28abee158b5d99/html5/thumbnails/13.jpg)
CVE-????-????• Traffic observed targeted unknown
devices• No known vulnerabilities on services
running on those ports
13
![Page 14: Extracting the Malware Signal from Internet Noise](https://reader036.vdocuments.mx/reader036/viewer/2022081604/587d574f1a28abee158b5d99/html5/thumbnails/14.jpg)
Fun Stuff• Data Science Early Warning Applications• Dangling DNS• Bandwidth budget calculation• Worm tracking• Search engine spoofing• Reflected DDOS attacks• Provider threat model
14
![Page 15: Extracting the Malware Signal from Internet Noise](https://reader036.vdocuments.mx/reader036/viewer/2022081604/587d574f1a28abee158b5d99/html5/thumbnails/15.jpg)
Really Fun Stuff• Integration into Endgame cyber operations
platform– Visibility into novel attacker techniques– Ability to collect new malware samples– Input into reputation services– Situational awareness
![Page 16: Extracting the Malware Signal from Internet Noise](https://reader036.vdocuments.mx/reader036/viewer/2022081604/587d574f1a28abee158b5d99/html5/thumbnails/16.jpg)
Conclusion• Whether an attack is targeted or not • Derive Internet-wide vulnerability
exploitation attempts
• Collect omnidirectionally targeted malware samples
16
![Page 17: Extracting the Malware Signal from Internet Noise](https://reader036.vdocuments.mx/reader036/viewer/2022081604/587d574f1a28abee158b5d99/html5/thumbnails/17.jpg)
17
Questions?