1) Faraday is a global network of sensors that collects untargeted malware and internet traffic geographically and logically dispersed to extract the malware signal from internet noise. 2) The sensors can provide insights into whether attacks on a network are targeted or omnidirectional mass exploits, and monitor for probing and exploitation of newly disclosed vulnerabilities. 3) The data collected by Faraday can be used for early warning applications, tracking worms and attackers, and integrating with cyber operations platforms to gain visibility into novel techniques and collect new malware samples.

1. Extracting the Malware Signal from
Internet Noise
Andrew Morris, Researcher
1

2. # whoami
• Andrew Morris
• Background in offense
• R&D @ Endgame
2

3. Tactical Insights from Global Trends
• My network is being scanned/attacked
– Am I being targeted specifically?
– Are other people seeing this as well?
• A vulnerability has been disclosed
– Is anyone probing for this vulnerability?
– Is anyone exploiting this vulnerability?
3

4. 4
Faraday
A Global Network of Sensors
Untargeted
Malware
Geographically &
Logically
Dispersed
Omnidirectional
Internet Traffic for
Collection &
Analysis
If something is *not* in Faraday, it is likely targeted

5. Capabilities
Iptables
HTTP
Telnet
FTP
SSH
Strategic Packet Capture
Custom sensors
5

6. Faraday Architecture
6

7. Four Kinds of Traffic on Your Network
The difference between these can be hundreds of thousands of $$ in incident response
Worm, Mass
Exploit
Campaign
Regular Web
User
Advanced
Persistent
Threat
Search Engines
(e.g. Google)
MaliciousBenign
Omnidirectional Targeted
7

8. My Network is Being Attacked
Omnidirectional Malicious
$ faraday --ip
123.123.123.123 | wc -l
42013
Targeted Malicious
$ faraday --ip 1.2.3.4|
wc -l
0
8

9. A Vulnerability Has Been Disclosed
• Is anyone probing for this vulnerability?
• Is anyone massively exploiting this vulnerability?
9

10. Cisco CVE-2016-1287
Cisco ASA Software IKEv1
and IKEv2
Buffer Overflow Vulnerability
• Critical
• Disclosed Feb 10, 2016
• Affects all Cisco ASAs
0
500
1000
1500
2000
2500
3000
Faraday Port 500
Faraday Port
500
10

11. Cisco CVE-2016-1287
The spike and diversity of IP addresses over time implies:
• People are not just probing, but actively targeting it
• Where they are coming from
• Who may have known about the vulnerability prior to public
disclosure
• It is not (yet) being massively exploited
11

12. Redis CVE-2015-4335
• Remote code execution vulnerability in
Redis
– Built and deployed a custom Redis sensor
less than 24 hours after the vulnerability was
published
– Observed attacker behavior
– Recorded attacker IP addresses
12

13. CVE-????-????
• Traffic observed targeted unknown
devices
• No known vulnerabilities on services
running on those ports
13

14. Fun Stuff
• Data Science Early Warning Applications
• Dangling DNS
• Bandwidth budget calculation
• Worm tracking
• Search engine spoofing
• Reflected DDOS attacks
• Provider threat model
14

15. Really Fun Stuff
• Integration into Endgame cyber operations platform
– Visibility into novel attacker techniques
– Ability to collect new malware samples
– Input into reputation services
– Situational awareness

16. Conclusion
• Whether an attack is targeted or not
• Derive Internet-wide vulnerability exploitation
attempts
• Collect omnidirectionally targeted malware
samples
16

17. 17
Questions?

18. Thank You!
amorris@endgame.com
@andrew___morris
18