reacting to advanced, unknown attacks in real-time with lastline
TRANSCRIPT
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
Engin Kirda // [email protected]., Prof., Co-Founder & Chief Architect, Lastlinewww.lastline.com
Me
• Professor at Northeastern University, Boston– started malware research in about 2004– Helped build and release popular malware analysis and
detection systems (Anubis, Exposure, …)
• Co-founder of Lastline, Inc.– Lastline offers protection against zero-day threats and
advanced malware– Commercialization of many years of advanced research
Copyright ©2014 Lastline, Inc. All rights reserved. 2
Overview of This Talk
• Introduction to the Problem• Evasive Malware (Backoff examples)• Automatically Mitigating Breaches• Conclusion
Copyright ©2014 Lastline, Inc. All rights reserved. 3
Targeted Attacksand Cyberwar
!!!
Cyberattack (R)Evolution
Time
$$ Damage
Millions
Hundreds of Thousands
Thousands
Hundreds
Billions
Cybercrime
$$$Cybervandalism
#@!
Copyright ©2014 Lastline, Inc. All rights reserved. 4
Online Crime is a Business• Klikparty, 2007
Copyright ©2014 Lastline, Inc. All rights reserved. 5
Online Crime is a Business• Klikparty, 2007
Copyright ©2014 Lastline, Inc. All rights reserved. 6
Malware is a Problem of Scale …
Copyright ©2014 Lastline, Inc. All rights reserved. 7
… and Sophistication
Simple Threats
Opp
ortu
nist
ic A
ttac
ks
APT Solutions
AntivirusSolutions
Current solutions fail to protect organizations from sophisticated, targeted attacks.
Security Gap
Targ
eted
Att
acks
Packing
Sophisticated Threats
Plain Virus
Poly-morphic
C&C
Fluxing
PersistentThreats
EvasiveThreats
Copyright ©2014 Lastline, Inc. All rights reserved. 8
Copyright ©2014 Lastline, Inc. All rights reserved.
Lastline Labs AV Vendor ReviewAntivirus systems take months to catch up to highly evasive threats.
9
You’ve Probably Read This:Recent Payment Breaches
• The last year has seen a dramatic escalation in the number of breached PoS systems
• Many of these PoS payloads, like Backoff, evaded installed defenses and alarms
• In few cases an early alarm was received, but it was ignored since indistinguishable from the background noise.
Copyright ©2014 Lastline, Inc. All rights reserved. 10
What is Backoff?
• Malware used in numerous breaches in the last year
• Secret Service currently estimates 1,000+ U.S. businesses affected
• Targeted to PoS systems
• Evades analysis
11Copyright ©2014 Lastline, Inc. All rights reserved.
What is Backoff?
[1 Slide Summary from Kyle]• Product screenshot?
• Mention evasive behaviors exhibited
12Copyright ©2014 Lastline, Inc. All rights reserved.
What is Backoff?
• Timing evasion (an anti-VM technique)
• Utilizes code obfuscation
• Also uses rare and poorly emulated instructions to defeat simple emulators
• Attempts to encrypt parts of the command and control traffic
13Copyright ©2014 Lastline, Inc. All rights reserved.
14Copyright ©2014 Lastline, Inc. All rights reserved.
How are the attackers deploying it?
• Scan for Internet facing Remote Desktop applications
• Brute force login credentials
• Often successfully find administrative credentials
• Use admin credentials to deploy Backoff to remote PoS systems
15Copyright ©2014 Lastline, Inc. All rights reserved.
Malware authors are not stupid• Clearly, they got the news that sandboxes are all the
rage now• since the code is executed, malware authors have
options
Evasion defined• Develop code that exhibits no malicious behavior in a
traditional sandbox, but still infects the intended target• Can be achieved in a variety of ways…
Understanding Evasive Malware
• Malware can detect underlying runtime environment– differences between virtualized and bare metal environment– checks based on system (CPU) features– artifacts in the operating system
• Malware can detect signs of specific analysis environments– checks based on operating system artifacts (files, processes, …)
• Malware can avoid being analyzed– tricks in making code run that analysis system does not see– wait until someone clicks something– time out analysis before any interesting behaviors are revealed– simple sleeps, but more sophisticated implementations possible
16Copyright ©2014 Lastline, Inc. All rights reserved.
Understanding Evasive Malware
17Copyright ©2014 Lastline, Inc. All rights reserved.
3 Ways to Build a SandboxNot all sandbox solutions can detect highly evasive malware.
18Copyright ©2014 Lastline, Inc. All rights reserved.
Virtualized Sandboxing vs. Full System EmulationEven APT Solutions with virtualized sandboxing fail to detect highly evasive malware.
Sensor Analyzes network, email, web, and mobile traffic. Detects callbacks and extracts objects for advanced malware analysis and stops cyber threats.
Manager Correlates low-level threat events into high-level network incident views of network and object activity.
Engine Analyzes objects with a next-generation sandbox using full-system emulation. This approach allows for greater visibility into advanced malware.
Threat Intel Offers a rich knowledge base of malicious network sources and objects containing advanced cyber threats built through machine learning, web crawling, emulated browsers, automated and dynamic techniques.
API Provides ability to submit objects for advanced malware analysis from any third-party sensor or system, queries the Threat Intelligence and displays pertinent threat information.
software
software
software
subscription
software
Lastline Platform Components
Copyright ©2014 Lastline, Inc. All rights reserved. 19
Suitable for those environments with tight requirements in terms of privacy and compliance. Customers may decide to share anonymous information with the Lastline Labs
Copyright ©2014 Lastline, Inc. All rights reserved.
Lastline Enterprise On-Premise
20
Suitable for those customers who want to minimize the operational effort
Lastline Enterprise Hosted
Copyright ©2014 Lastline, Inc. All rights reserved. 21
Technology Plays a Crucial Role but…• Deploying an advanced solution to detect and mitigate a
breach is a crucial input for the breach detection process• However, to fully leverage the detection capabilities, the
platform must be easily integrated into an organization from both a technology and a process perspective
Copyright ©2014 Lastline, Inc. All rights reserved. 22
It’s Part of a Multi-Phase Process
Copyright ©2014 Lastline, Inc. All rights reserved.
• Who, when, where, how?
• Avoid the “Target Syndrome”;
• Build a process that is incident-based rather then
event-based;
• Deploy a Scalable Architecture;
• Provide a comprehensive coverage in terms of attack vectors; Reduce the TCO and boost the ROI;
• Quickly and Seamlessly adapt to changes;
• Provide multi-dimensional actionable threat intelligence;
• Feed Automated Systems (SIEM, Trouble Ticketing);
• Identify reliable IOCs
• Use the correlated information to quickly enforce countermeasures
23
Correlate the Information
Copyright ©2014 Lastline, Inc. All rights reserved.
• Lastline Enterprise Platform provides an incident-centric view, rather then an event-centric view
• Single events are post-processed and summarized into high-level incidents
28
Correlate the Information
Copyright ©2014 Lastline, Inc. All rights reserved.
Stage 1: Connection to the Drive-By Site
Stage 2: Malicious Binary Download
Stage 3: Malicious C&C connections
Everything correlated into a single incident
Security Analysts look at a single incident rather than
4 separated events
Result of the correlation process:Drive-by + Malicious Binary Download =------------------------------------Endpoint successfully compromised!
29
Share the Actionable Threat Intelligence
Copyright ©2014 Lastline, Inc. All rights reserved.
• The post-processed information can be exported to external devices
• For further integration, Lastline API can be easily integrated with existing security infrastructures
• SWGs (Secure Web Gateways), IPSs (Intrusion Protection System), NGFWs (Next-Generation Firewalls) and SIEM (Security Information Event Management) installations can all interoperate seamlessly with Lastline Enterprise
30
Copyright ©2014 Lastline, Inc. All rights reserved.
• The information provided by the Lastline Enterprise reports can be used at different levels Operational level: extract the information to contain and mitigate the breach Analytical level: perform post-mortem forensic analysis
Providing Multi-Dimensional Information…
31
Copyright ©2014 Lastline, Inc. All rights reserved.
Security Analysts can extract the Process Dumps and analyse them on Ida PRO
It is also possible to derive reliable IoC.
Detailed Information for Security Analysts
32
User n
User 1
C&C Site
Exploit Site
1
2
3
5
Feedback To Global Threat Intelligence
User 2
Copyright ©2014 Lastline, Inc. All rights reserved.
4
Automatically Mitigating the Breach
33
• The sensor detects an advanced threat for the organization• The artifact is analyzed by the Lastline Engine leveraging full
system emulation• The manager triggers an alert using post processing and
correlation to ensure it is displayed with the right priority;• The information can be automatically transmitted in real time to
the third parties products part of the Lastline Defense Program, or virtually to any other technology by means of the Lastline API
• Other occurrences of the same threats are immediately detected and blocked
Copyright ©2014 Lastline, Inc. All rights reserved.
1
2
3
4
5
Mitigating the Breach
34
For more information visit www.lastline.comor contact us at [email protected].
Thank You!