Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

NGSec2014

952 views

Published on

Prezentacja z NGSec 2014.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

NGSec2014

  1. 1. 1Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. JAK ZNALEŹĆ IGŁĘ W STOGU SIANA CZYLI SECURITY ANALYTICS W PRAKTYCE ROBERT MICHALSKI Senior Systems Engineer robert.michalski@bluecoat.com
  2. 2. 2Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. “ ”— General George S. Patton Fixed fortifications
 are monuments 
 to man’s stupidity. SOMEBODY TELL ME..
  3. 3. 3Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
  4. 4. 4Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. TERMINOLOGY REVIEW § Packets, Flows, and Sessions •  Packet: A single data “envelope” with all its addressing tacked on. •  Flow: A sequence of packets that make up a single connection or “call” in one direction. •  Session: A combination of flows that comprise a “conversation” between two devices. § Source:Destination vs Initator:Responder pairings •  Source is the start point of a packet and/or flow; Destination is where the data terminates. •  Initiator is the “caller” in a session; Responder “answers” the call.
  5. 5. 5Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. NETWORK FORENSICS: METADATA § “Data about data” § Very broad term, can refer to lots of different kinds of data •  Addressing information •  “Applications” – i.e., Facebook, Twitter •  Criteria that define files, or data embedded inside files – Eg., EXIF information embedded in JPEGs •  Usernames and passwords •  Characteristics of Web sessions •  Size or content of packets, flows, or sessions •  Additional info about the data sender or receiver – Public or private reputation – Geolocation – Alternate identities or aliases
  6. 6. 6Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. CONTENT ANALYSIS § Looking for content that’s out of the ordinary •  Especially with out-of-band behavior § Examples of unusual content •  Non-file data returned by HTTP GET requests for files – Or the reverse, files returned by odd-looking requests •  iFrames to unexpected locations embedded in HTML pages •  Content-Disposition mismatches •  Data encoded in base64 or some other encoding scheme •  Obfuscated Javascript •  HTTP GETs or POSTs with 200 OK responses, returning nothing
  7. 7. 7Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. BEHAVIORAL ANALYSIS: OUT OF THE ORDINARY § Examples of unusual behavior •  High volumes of data over unexpected ports •  Visits to randomized or algorithmically-generated domain names or URI strings •  Regular traffic at highly specific, predictably regular intervals •  High volumes of HTTP GET or POST requests to Countries We Should Not Be Talking To •  More HTTP GETs, faster than a human could possibly click. – Easier (and more interesting) to show than to describe
  8. 8. 8Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. METADATA: PORTS AND PROTOCOLS § Responder ports are well defined from 0-1024, and standardized to specific applications by IANA •  HTTP uses ports 80/TCP and 8080/TCP •  SSL typically over 443/TCP •  IRC commonly on 6667/TCP •  Malware writers don’t give a $#!^ about that! •  Plenty of bad stuff happens on standard ports/protocols •  A lot uses nonstandard ports/ protocols, too
  9. 9. 9Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. METADATA: HTTP-SPECIFIC § Multitude of factors to evaluate in HTTP traffic •  Request type (get, post, head, put) •  Response codes (200, 404, 302) •  HTTP server type (Apache, IIS, nginx) •  Geographic origin
  10. 10. 10Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. METADATA: STUFF INSIDE HTTP •  Session content: – Artifact MIME types – Artifact and responder reputations – Volume of inbound data vs. outbound data – High volumes of certain kinds of responses: 404s, 302s – Filename and Content-Disposition name mismatches
  11. 11. 11Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. METADATA: USER-AGENT STRINGS § Supposed to identify the software making an HTTP request •  It’s part of most standard HTTP request headers •  Relies on the software to self-identify honestly – Malware lies § Let’s parse a sample User-Agent string together
  12. 12. 12Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. WHEN USER-AGENT TELLS A STORY..
  13. 13. 13Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. THE REDUCTIONIST METHOD § Start with everything § Remove the stuff you know* is good *Only eliminate certainties § What remains bears further scrutiny •  Rinse, repeat – Let the scum rise to the surface, then skim it
  14. 14. 14Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. 14Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.
  15. 15. 15Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. ADVANCED THREAT PROTECTION – DRIVING REAL-WORLD USE CASES INTEGRATED ECOSYSTEM Situational Awareness Incident Response Policy & ITGRC Data Loss Monitoring & Analysis Advanced Malware Detection Continuous Monitoring ANALYTICS AND INTELLIGENCE •  Collect & Warehouse •  Investigate •  Alert & Report ENRICHMENT •  Technology Partners •  File Analysis & IP Reputation •  Malware Sandboxing FLEXIBLE FORM FACTORS •  Hardware •  Software •  Virtual Machines Web Control and Security Enforcement
  16. 16. 16Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. ANALYZE & MITIGATE Dual-Detection Hybrid Analysis of Suspicious Samples Closely Replicates Customer’s Gold Configurations Automated Risk Scoring and Rich Analysis Quickly analyze and prioritize advanced and zero-day threats for remediation and continuous security improvement Malware Analysis Appliance Hybrid Sandboxing PC Emulator Virtual Machine 01010 10101 00101 10010
  17. 17. 17Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. HYBRID SANDBOXING TECHNOLOGY SandBox® Analysis Environment IntelliVM Analysis Environment Software x86 emulator, purpose-built environment for malware analysis with all system elements controlled Overview Fully-licensed Windows operating system environments: Win XP SP3, Win 7 SP1, Win 7x64 SP1, Win 8.0 Hardware emulation including BIOS, CPU, memory, operating system, storage, network and other hardware Methodology Hardware virtualization in virtual machines (VMs) customized to closely replicate production systems Generates numerous low-level events, such as page faults and exceptions, extremely quickly Events Generates high-level events – threads, processes, named objects, file system, registry, and network Emulated network access and services including fake DNS resolution and dummy IRC responses Network Real network access and services with configurable firewalls allowing isolated, controlled network, or full internet access Hook-based event introspection with anti-VM detection; Industry’s most mature commercial sandbox Detection Kernel-mode capture of low-level events that are extremely difficult to evade; No user-mode capture components Behavioral-based automated risk scoring from 0 to 10; Includes anti-VM patterns; Add your own patterns Patterns Behavioral-based automated risk scoring from 0 to 10; Anti-VM patterns; Add your own patterns Supports portable executable EXEs and DLLs File Support Wide range of application and file support; Analyze anything you install as it runs in its native app Dropped files, portable executable (PE) memory dumps; Automatically select default choices on dialog boxes Analysis Resources Dropped files, screen shots, PCAPs, HTTP archives, Extend custom processing with plugins, including advanced user emulation for dialogs and installers
  18. 18. 18Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. CUSTOMIZATION !!! §  Patterns •  Users of MAA can create custom patterns •  Patterns are not the only things that are customizable; for the IntelliVM, the environment in which malware runs can also be customized §  IntelliVM Profiles •  IntelliVMs provide customizable, real-world environments for powerful analysis of executables, Office documents, flash files, java components, and non-traditional threats. •  Based on the defaults Windows XP and Windows 7 profiles shipped with MAA, end users can create profiles that closely match the end- user target environments in which malware might run on their network
  19. 19. 19Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. CUSTOMIZING PROFILES Profile Credentials: Username: admin Password: <blank>
  20. 20. 20Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. WHAT ARE PATTERNS? § Behavioral Detection Patterns •  MAA uses behavioral detection patterns as the basis of its embedded intelligence to detect the presence of sophisticated malware that evades traditional defense mechanisms §  MAA uses behavior-based malware classification patterns – not code-based signatures – to flag events based on potential malicious activity §  Patterns provide risk scoring, either out of the box or customizable based on a customer’s own criteria MAA reports all of the patterns that “triggered” based on the behavior of a particular sample, and these combinations of indicators can be used by the customer to further classify malware into families based on related behavioral characteristics
  21. 21. 21Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. IVM PLUGINS § What are iVM Plugins? What can Plugins do? •  Custom modules written in Python that execute inside of the IntelliVM when a task is run – Configure execution environment and control process creation – Interact with processes during sample execution – Perform post-execution analysis of system •  Customers / End Users can write their own plugins § Available Plugins •  procdump.py – Captures memory dumps for analyzed and tainted processes •  spyeye.py – Parses spyeye.exe process memory to extract password and decrypt configuration data •  ghost_user.py
  22. 22. 22Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. GHOST USER PLUGIN §  Some malware requires user interaction to fulfill its intent •  Ghost User Plugin acts like a real user sitting in front of a real PC §  Features •  Advanced user interaction emulation •  Installer and dialog box support §  Benefits •  Improved detection – allows for the proper execution or installation of applications, generating more intelligence, resulting in better detection •  Improved performance – generates a new screenshot with each button press, available for step-by-step analysis as task resources Informative Ghost User Plugin white paper is available
  23. 23. 23Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. TASK REPORTS
  24. 24. 24Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. TASK REPORTS
  25. 25. 25Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. BLUE COAT SECURITY ECHOSYSTEM GLOBAL INTELLIGENCE NETWORK SECURITY ANALYTICS PLATFORM PROXY SG FIREWALL STORAGE IPS SSL VISIBILITY APPLIANCE INTERNET CONTENT ANALYSIS SYSTEM THIRD PARTY SANDBOXING MALWARE ANALYSIS APPLIANCE THREATBLADES
  26. 26. 26Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved. Block Known Web Threats ProxySG Allow Known Good Content Analysis System with Application Whitelisting Block Known Bad Downloads Content Analysis System with Malware Scanning Free up resources to focus on advanced threat analysis Reduce threats for incident containment and resolution Block all known sources/malnets and threats before they are on the network Analyze Unknown Threats Malware Analysis Appliance Block Known Web Threats ProxySG Allow Known Good Content Analysis System with Application Whitelisting Block Known Bad Downloads Content Analysis System with Malware Scanning Analyze Unknown Threats Malware Analysis Appliance INTELLIGENT DEFENSE-IN-DEPTH Discover new threats and then update your gateways
  27. 27. 27Copyright © 2013 Blue Coat Systems Inc. All Rights Reserved.

×