lastline: next generation malware detection and defense
DESCRIPTION
TRANSCRIPT
Next Generation Malware
Detection and Defense
Lastline, Inc.
Santa Barbara, CA
Targeted Attacks
and Cyberwarfare
!!!
Cyberattack (R)Evolution
Time
$$ Damage
Millions
Hundreds of
Thousands
Thousands
Hundreds
Billions
Cybercrime
$$$Cybervandalism
#@!
Targeted attacks are mainstream news.
Every week, new breaches are reported.
Here are just a few examples.
Current Defenses Have Failed
3
January 10, 2014
Why Should You Care?
• If you have assets of value it is not a question of whether
you are being targeted, but where those blind spots exist
in your environment
• A compromise results in a backdoor into your network,
providing cybercriminals with interactive access
• With Lastline’s solutions you can obtain visibility and
identify active advanced malware targeting not only your
systems, but your key intellectual property and business
assets
Evasive Threats
Simple Threats
Opp
ortu
nist
ic A
ttack
s
APT
Solutions
Antivirus
Solutions
Current solutions fail to protect
organizations from sophisticated,
targeted attacks.
Current solutions fail to protect
organizations from sophisticated,
targeted attacks.
Security Gap
Targ
eted
Atta
cks
Packing
Sophisticated Threats
Plain
Virus
Poly-
morphic
C&C
Fluxing
Persistent
Threats
Evasive
Threats
Lastline, Inc.
Most advanced solution to detect, analyze, and mitigate
APTs, targeted attacks, and 0-day threats
• Founded by top security professors
and malware researchers
– World-renown academics
– Based on 8+ years research on APT
– Focus on innovation
– Developers of Anubis / Wepawet
http://tinyurl.com/ms-top-authors
Anubis / Wepawet
• Most popular free tools for malware analysis, accessible through web
portals
• Used by tens of thousands of users (including Fortune 500 companies,
government and financial institutions, and security vendors)
• Anubis: Advanced malware analysis
– http://anubis.cs.ucsb.edu
• Wepawet: Drive-by exploit detector
– http://wepawet.cs.ucsb.edu
• Tools produced by research on advanced malware over past 8 years
– http://www.iseclab.org
• Many ideas and lessons learned from Anubis and Wepawet incorporated
into Lastline’s next-generation analysis engines
7
Lastline Enterprise Solution
Scans traffic for signs and
anomalies that reveal C&C
connections and infections
Lastline proactively
crawls the Internet
for threats and
updates the Sensor’s
knowledge base
Feedback for
global threat
intelligence
Drive-by attack
Spear-
phishing
Command and
control
Sensor
Correlates alerts
and produces
actionable intelligence
Manager
Analyzes
unknown
objects
(programs and
docs) with
high-resolution
analysis
Engine
Key Technology
1. High-resolution analysis engines
– CPU emulation provides deep insights into malware execution
– Necessary to detect and bypass evasive checks
– Expose malicious behaviors that existing sandboxes don’t see
2. Big data analytics
– Anomaly detection of suspicious outbound
command-and-control (C&C) flows
– Internet-scale, active discovery of threats
– Correlation of low-level events into actionable threat intelligence
9
High-Resolution Malware Analysis
Visibility without code emulation
(traditional sandboxing technology)
Important behaviors and
evasion happens here
Visibility with code emulation
(Lastline technology)
Engine sees every instruction that the malware executes
High-Resolution Malware Analysis
• Support for different types of analysis targets
– Windows executables (Windows XP and Windows 7)
– Android applications
– Malware embedded in documents (MS Office, PDF)
– Web pages (JavaScript, Flash, Java)
Key Technology
1. High-resolution analysis engines
– CPU emulation provides deep insights into malware execution
– Necessary to detect and bypass evasive checks
– Expose malicious behaviors that existing sandboxes don’t see
2. Big data analytics
– Anomaly detection of suspicious outbound
command-and-control (C&C) flows
– Internet-scale, active discovery of threats
– Correlation of low-level events into actionable threat intelligence
12
Enterprise Traffic Monitoring
• Identification of anomalous network traffic that
reveals presence of malware-infected machines
• Analysis of (passive) DNS and NetFlow data to detect
– Use of domain name generation algorithms
– IP fast-flux activity
– Suspicious, periodic (command and control) traffic
Active Threat Discovery
• Identification of threats and automated generation
of detection models before customer is exposed
• Cloud-based crawling and analysis engines
– Perform targeted web crawling and search for bad
neighborhoods on the Internet
– Comprehensive coverage for both malware threats and
distribution vectors (drive-by exploits)
– Precise models generated through machine-learning and
large-scale clustering algorithms
14
Correlation
• Root-cause analysis for events that match threat
intelligence and models
• “Sea of events” syndrome
• Support informed decision-making (actionable threat
intelligence)
– Improves confidence
– Allows for the suppression “ghost alerts”
– Storyboard-like description of infection
15
Lastline Products
Lastline Analyst™
High-Resolution Malware Analysis
– Dynamic analysis in next
generation sandbox
• Executes binaries, accesses web
pages, opens documents
• Monitors and classifies observed
behaviors
– CPU emulation
• Visibility into every instruction
that malware executes, not just
the operating system calls
• Provide vastly increased ability to
detect malicious and evasive
behavior
ManagerEngine
Lastline Enterprise™High-Resolution Network Analysis
– Detect and block
• Command & Control traffic
• Infection vectors such as
drive-by-download attacks
• Inbound malicious emails
– Automated collection of
potentially-malicious files for
analysis
– Analysis of pDNS and netflow
data
to identify anomalies
– Scalable, distributed architecture
Sensor ManagerEngine
Passive DNS
CorrelationNetflow
Network
Fingerprints
Global Threat Intelligence
Network Analysis
Object Analysis
Android APK
Web URLs
Non-executable files
Executable files
Anomaly-Based
Command & Control Detection
Lastline Enterprise On-Premise
Scans traffic for signs and
anomalies that reveal C&C
connections and infections
Lastline proactively
crawls the Internet
for threats and
updates the Sensor’s
knowledge base
Drive-by attack
Spear-
phishing
Command and
control
Sensor
Correlates alerts
and produces
actionable intelligence
Manager
Analyzes
unknown
objects
(programs and
docs) with
high-resolution
analysis
Engine
Lastline Enterprise Hosted
Scans traffic for signs and
anomalies that reveal C&C
connections and infections
Lastline proactively
crawls the Internet
for threats and
updates the Sensor’s
knowledge base
Drive-by attack
Spear-
phishing
Command and
control
Sensor
Correlates alerts
and produces
actionable intelligence
Manager
Analyzes
unknown
objects
(programs and
docs) with
high-resolution
analysis
Engine
Lastline’s Datacenter
Actionable Intelligence You Can Trust
• Lastline Enterprise identifies with confidence the
backdoors in your network
• Detailed analysis supports the remediation process
defined within the Enterprise
Correlated Events
20
Everything
correlated into a
single incident
Stage 1: Connection
to the drive-by site
Stage 2: Malicious
binary download
Stage 3: Malicious
C&C connections
Economic Advantages
• Per-user pricing
• Non-proprietary, low-cost hardware
• Cost-effective, full network coverage
• Your choice of on-premise or hosted deployment
• Future-proofing via a platform approach which
provides API access for integration
21
Lastline Enterprise™
Sensor Manager Engine Manager Engine
Lastline Analyst™
Lastline PlatformHigh-Resolution Analysis
Passive DNS
CorrelationNetflow
Network
Fingerprints
Global Threat Intelligence
Network Analysis
Object Analysis
Android APK
Web URLs
Non-executable files
Executable files
Anomaly-Based
Command & Control Detection
Summary
• Detection - Most Advanced Malware Analysis– High-resolution analysis engine (CPU emulation)
– Supports multiple operating systems and file formats
• Management - Complete Protection– Event roll-up and correlation
– Detailed behavior information for entire threat chain
• Deployment - Flexible & Scalable – Three-tiered architecture on-premise or hosted
– Efficient multi-protocol sensors on-premise (for enforcement and data collection)
– Hosted solution offers analysis in the cloud
– Pricing that is practical for your budget
