1) Faraday is a global network of sensors that collects untargeted malware and internet traffic geographically and logically dispersed to extract the malware signal from internet noise.
2) The sensors can provide insights into whether attacks on a network are targeted or omnidirectional mass exploits, and monitor for probing and exploitation of newly disclosed vulnerabilities.
3) The data collected by Faraday can be used for early warning applications, tracking worms and attackers, and integrating with cyber operations platforms to gain visibility into novel techniques and collect new malware samples.
3. Tactical Insights from Global Trends
• My network is being scanned/attacked
– Am I being targeted specifically?
– Are other people seeing this as well?
• A vulnerability has been disclosed
– Is anyone probing for this vulnerability?
– Is anyone exploiting this vulnerability?
3
4. 4
Faraday
A Global Network of Sensors
Untargeted
Malware
Geographically &
Logically
Dispersed
Omnidirectional
Internet Traffic for
Collection &
Analysis
If something is *not* in Faraday, it is likely targeted
7. Four Kinds of Traffic on Your Network
The difference between these can be hundreds of thousands of $$ in incident response
Worm, Mass
Exploit
Campaign
Regular Web
User
Advanced
Persistent
Threat
Search Engines
(e.g. Google)
MaliciousBenign
Omnidirectional Targeted
7
8. My Network is Being Attacked
Omnidirectional Malicious
$ faraday --ip
123.123.123.123 | wc -l
42013
Targeted Malicious
$ faraday --ip 1.2.3.4|
wc -l
0
8
9. A Vulnerability Has Been Disclosed
• Is anyone probing for this vulnerability?
• Is anyone massively exploiting this vulnerability?
9
10. Cisco CVE-2016-1287
Cisco ASA Software IKEv1
and IKEv2
Buffer Overflow Vulnerability
• Critical
• Disclosed Feb 10, 2016
• Affects all Cisco ASAs
0
500
1000
1500
2000
2500
3000
Faraday Port 500
Faraday Port
500
10
11. Cisco CVE-2016-1287
The spike and diversity of IP addresses over time implies:
• People are not just probing, but actively targeting it
• Where they are coming from
• Who may have known about the vulnerability prior to public
disclosure
• It is not (yet) being massively exploited
11
12. Redis CVE-2015-4335
• Remote code execution vulnerability in
Redis
– Built and deployed a custom Redis sensor
less than 24 hours after the vulnerability was
published
– Observed attacker behavior
– Recorded attacker IP addresses
12
See slide 19 for previous version, here’s the text for you to either speak to or add back in case I emphasized the wrong points:
Network of sensors
Geographically and locally diverse
Collect, catalogue, and analyze omnidirectional Internet traffic
If something is *not* in Faraday, it is targeted
By collecting all omnidirectional traffic, we can reduce it from regular traffic
Distinguish all “background noise”
Collect untargeted malware
I stole the check marks from Phil’s – I kind of like that it adds color, and reinforces the positive, but can easily be convinced they aren’t necessary
See slide 22, 23 for previous versions
See hidden slide 20 for original version
See hidden slide 21 for previous version
Got rid of scanned in the header since it only covers malicious in the body; see slide 24 for original
Combined this with a build out to lead into the example
See slide 25 for original – added graph and reorganized
Yellow circle only appears on a build, you can delete, but may be useful visually to show how small the numbers were prior, not that it was non-existent
Should the title of the graph have ‘scans’ or something like that after Port 500?
Omitted the following text from the next slide “Huge spike in relevant traffic when this vulnerability was disclosed” as you can speak to it here with the chart, and it segues well to next slide.
When I was working on this earlier today, Bobby came by and noted this would be a good place to reiterate probing vs exploited with the language I gave it. It was previously:
Faraday told us:
Yes, people are actively probing for this
Where they were coming from
Who may have known about the vulnerability prior to public disclosure
Is it not (yet) being massively exploited
Added early warning with data science
Removed the ‘or not’s, since that is implied
I stole the check marks from Phil’s – I kind of like that it adds color, and reinforces the positive, but can easily be convinced they aren’t necessary
See slide 22, 23 for previous versions