Transforming the Fight Against Cyber Threats                   David Petty                      May 30,2012               ...
Why Damballa Advanced Threat Protection? Mitigate corporate Risk   •   Discover hidden threats that have gone undetected ...
‘Protection’ has its limitations                                                                              Corporate   ...
Shifting from Protection to Detection                                                  Noisy Alerts Corporate             ...
Active Threat Monitoring (Enterprise Networks)We discover hidden infections that have gone undetected          by preventa...
Damballa® Failsafe 1U Appliance Management Console & Sensor(s) Out-of-band (span or tap) Captures and assesses evidenc...
Damballa® Labs   Thought Leadership                                              Thought Leadership   Blackhat, Defcon, RS...
Damballa® FirstAlert Cyber Threat Intelligence                                                                            ...
Emerging Threat Discovery                                                                                            Predi...
Damballa® Failsafe                                            Enterprise Assets                                          D...
Actionable Intelligence Victims                     Threats         Threat ActivityIdentified                  Classified ...
Actionable Intelligence Victims            Relative Risk          Threats              Threat ActivityIdentified          ...
Actionable Intelligence Victims     Relative Risk        Threats              Threat ActivityIdentified    Assessed       ...
Identifying Zero Day Malware             1     Identify Suspicious Files in Motion             2   Cloud Interrogation of ...
Identifying Criminal Communication                                                      Behaviors Seen & Benefits         ...
Protection From The ‘Unknown’ Threat Enables rapid, automated incident response   • Rapid and positive identification of ...
Competition and Value Proposition Damballa’s unique strengths include: Our solution has the ability to scale much better...
19
Advanced Malware Infection CycleCriminal Command & ControlMultiple C&C proxies/Separate C&C portalsMalware updates        ...
Advanced Malware Infection Cycle       Damballa Failsafe monitors network traffic and correlates suspicious       ‘behavio...
Upcoming SlideShare
Loading in …5
×

DamballaOverview

2,565 views

Published on

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
2,565
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide
  • As we discussed, the malware is increasingly capable of evading your security defenses. In addition, there are a whole host of infection vectors that can compromise your network and form the basis for a breach.Your mobile employees can bring malware into the organization when they reconnect to your network, and USB devices and such serve as other ‘carriers’ of malware.April 15, DarkReading– (International) SAP, other ERP applications at risk of targeted attacks. Backdoor Trojan viruses and rootkits that let attackers gain a foothold and remain entrenched in a compromised system aren’t just for Windows PCs anymore — SAP and other enterprise resource planning (ERP) applications are also susceptible to this form of attack. A researcher at Black Hat Europe in Barcelona, Spain this week demonstrated techniques for inserting backdoors into SAP applications to enable attackers to gain control of them. The director of research and development at Onapsis said an attacker would initially exploit weak, database protections or vulnerabilities in the underlying operating system, for instance, to gain access to the SAP apps and data. The hacks do not exploit any new or existing vulnerabilities in SAP. Once the system is compromised, the attacker would grab the necessary, elevated privileges to insert the stealthy backdoor code and remain under the radar to pilfer sensitive information. With the backdoor presence, the attacker could modify a victim company’s electronic payments to a vendor, for example. “So every automated payment to that vendor would go to the attacker’s *bank+ account *instead+,” the director said. Source: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=224400438
  • As we discussed, the malware is increasingly capable of evading your security defenses. In addition, there are a whole host of infection vectors that can compromise your network and form the basis for a breach.Your mobile employees can bring malware into the organization when they reconnect to your network, and USB devices and such serve as other ‘carriers’ of malware.April 15, DarkReading– (International) SAP, other ERP applications at risk of targeted attacks. Backdoor Trojan viruses and rootkits that let attackers gain a foothold and remain entrenched in a compromised system aren’t just for Windows PCs anymore — SAP and other enterprise resource planning (ERP) applications are also susceptible to this form of attack. A researcher at Black Hat Europe in Barcelona, Spain this week demonstrated techniques for inserting backdoors into SAP applications to enable attackers to gain control of them. The director of research and development at Onapsis said an attacker would initially exploit weak, database protections or vulnerabilities in the underlying operating system, for instance, to gain access to the SAP apps and data. The hacks do not exploit any new or existing vulnerabilities in SAP. Once the system is compromised, the attacker would grab the necessary, elevated privileges to insert the stealthy backdoor code and remain under the radar to pilfer sensitive information. With the backdoor presence, the attacker could modify a victim company’s electronic payments to a vendor, for example. “So every automated payment to that vendor would go to the attacker’s *bank+ account *instead+,” the director said. Source: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=224400438
  • [Failsafe Screen Shot]With Damballa Failsafe, Security Analyst and Incident Responders no longer need to react to noisy alerts or manually search through logs to identify infections. Damballa Failsafe automatically captures evidence of malicious communications, correlates the suspicious events, and pinpoints those assets under criminal control and enables you to stop the loss of sensitive data. Victim machines are automatically assigned a Risk Factor to prioritize the compromises that require immediate attention.All forensic evidence is displayed …. and ongoing monitoring allows you to ensure you have successfully remediated the threat. For each Threat that we identify on a victim machine, we provide a Threat Conviction Score indicating the confidence level we are placing on our detection based on the behaviors we have seen.And for every infected asset, we provide a Asset Risk Factor, indicating which assets we believe represent the biggest risks to your enterprise and represent the biggest risk for data loss and breach activity. This allows your incident response team to easily prioritize their remediation and investigation activities…*****
  • [Failsafe Screen Shot]With Damballa Failsafe, Security Analyst and Incident Responders no longer need to react to noisy alerts or manually search through logs to identify infections. Damballa Failsafe automatically captures evidence of malicious communications, correlates the suspicious events, and pinpoints those assets under criminal control and enables you to stop the loss of sensitive data. Victim machines are automatically assigned a Risk Factor to prioritize the compromises that require immediate attention.All forensic evidence is displayed …. and ongoing monitoring allows you to ensure you have successfully remediated the threat. For each Threat that we identify on a victim machine, we provide a Threat Conviction Score indicating the confidence level we are placing on our detection based on the behaviors we have seen.And for every infected asset, we provide a Asset Risk Factor, indicating which assets we believe represent the biggest risks to your enterprise and represent the biggest risk for data loss and breach activity. This allows your incident response team to easily prioritize their remediation and investigation activities…*****
  • [Failsafe Screen Shot]With Damballa Failsafe, Security Analyst and Incident Responders no longer need to react to noisy alerts or manually search through logs to identify infections. Damballa Failsafe automatically captures evidence of malicious communications, correlates the suspicious events, and pinpoints those assets under criminal control and enables you to stop the loss of sensitive data. Victim machines are automatically assigned a Risk Factor to prioritize the compromises that require immediate attention.All forensic evidence is displayed …. and ongoing monitoring allows you to ensure you have successfully remediated the threat. For each Threat that we identify on a victim machine, we provide a Threat Conviction Score indicating the confidence level we are placing on our detection based on the behaviors we have seen.And for every infected asset, we provide a Asset Risk Factor, indicating which assets we believe represent the biggest risks to your enterprise and represent the biggest risk for data loss and breach activity. This allows your incident response team to easily prioritize their remediation and investigation activities…*****
  • Step 1Indictment PhaseSensors will identify all raw PE32 and PDF files seen in trafficSensors examine each file for MD5, source, and structureDecision is made if the file is “Suspicious” or “Malicious” AKA ‘The Indictment’If indicted as “Malicious”, it means we have seen the MD5 hash before, otherwise…File is listed as ‘Unverified’ in Asset Summary Screen & Suspicious File ReportReasons for Suspicion are displayedAt this point, Malware Admin can save the file to local machineIf ‘Indicted’ then file goes to the cloud for processing (Auto / Manual Submit)Auto: File is sent immediately to Damballa Labs for processingManual: Customer must hit submit (Asset Summary Screen / Suspicious File ReportStep 2Conviction PhaseDamballa Labs runs file through AV scanners, Dynamic Analysis in Dirty SpaceDamballa Labs reviews system outputs and makes a decisionMalicious | Suspicious | BenignMalicious files are now part of training sets and continuously examinedBy examining malware at Damballa Labs, the behaviors identified enable:Malware Grouping & Clustering Threat operator enumeration and attributionMalware & C&C Linkage Malware family-tree reconstructionPublic Victim Enumeration Authoritative DNS and Sinkholing of domainsNetwork Behavioral Clustering 0-day exploit and malware family discoveryPay-per-Install Milking New droppers & payloads from crime serversLong-term Monitoring Specific malware and threat infiltrationStep3Malware Forensics ReportTarget delivery time is 10 minutes for initial reportReport includes:Reason why convicted as ‘Malicious’, ‘Suspicious’ or ‘Benign’Summary ReportDetailed ReportReports are ‘living’ – they are updated constantly as we learn more about malwareEnables Actionable intelligence for Remediation efforts, risk prioritization, and delivery of file to AV vendors for signature creation
  • DamballaOverview

    1. 1. Transforming the Fight Against Cyber Threats David Petty May 30,2012 David.Petty@damballa.com 949-325-4625 When malware talks…Damballa listens
    2. 2. Why Damballa Advanced Threat Protection? Mitigate corporate Risk • Discover hidden threats that have gone undetected • Terminate criminal communications and the risk of data theft • Earliest possible discovery of emerging threats Improve security team Efficiency • Threat Conviction Engine effectively eliminates false-positives Improve incident response Workflow • Asset Risk Factor helps prioritize response and reduce cost of remediation Secure ALL devices - traveling, mobile and BYOD…. • Analyze network behavior to protect any endpoint device regardless of infection vector or phase of threat lifecycle (PC, Mac, iPad, iPhone, Android, servers, embedded systems…) 2
    3. 3. ‘Protection’ has its limitations Corporate Production Through the ‘front door’ (ingress) Network Win32 Network-based inbound ? malware capture and Win64 analysis tools PCs How do you Encrypted/armored, etc. detect a breach? Mac Mac Embedded systems/POS/other OS Embedded/POS USBs/DVDs/Cloud Storage Traveling Employees/Contractors/BYOD BYOD “Guest” (Bring Your Own malware) Network 3
    4. 4. Shifting from Protection to Detection Noisy Alerts Corporate False Positives Production (not correlated with Network other evidence) ! PCs Black Lists Reputation Systems f(x) Static Criminal Communications Known bad destinations Mixed use destinations New destinations (no history) Mac Covert channels Damballa® FirstAlert - The most advanced cyber threat intelligence - Early detection of emerging threatsEmbedded/POS - Machine-learning behavioral classifiers (heuristics) Threat Conviction Engine - Automatically correlates behaviors seen - Virtually eliminates false positives Asset Risk Factor - Automatically assesses severity of breach - Prioritization of risk and remediation “Guest” “…Damballa Failsafe 5.0 intelligently uncovers Network stealthy and hidden attacks masterfully avoiding any false positive alerts. Frost & Sullivan views this solution as a novel dimension to safeguard corporate networks.” 4
    5. 5. Active Threat Monitoring (Enterprise Networks)We discover hidden infections that have gone undetected by preventative security measures: APT, advanced malware, targeted attacks…whatever. Network detection of suspicious downloads (inbound malware) Endpoints communicating to suspicious destinations Network behavior indicative of criminal communication DNS look-ups & activity indicative of criminal behavior Deep packet inspection and PCAPs of criminal traffic Using the most advanced threat intelligence in the industry Correlating observations of criminal activity to positively identify hidden infections. 5
    6. 6. Damballa® Failsafe 1U Appliance Management Console & Sensor(s) Out-of-band (span or tap) Captures and assesses evidence from egress, proxy and DNS traffic to hunt for hidden threats Can terminate criminal communications Management Console pinpoints compromised assets; provides network and host forensics with criminal attribution Integrated workflow…. 6
    7. 7. Damballa® Labs Thought Leadership Thought Leadership Blackhat, Defcon, RSA, USENIX, ACSAC, NSDI, HackerHalted, FIRST, ICDM, CCS, NDSS, ISSA, IEEE, VB, etc. RAID, etc. Threat Analysis Applied Research Sr. Threat analysts Doctorate-level 10+ years experience Top-tier academics ex NSA, CIA, DoD Big Data analysis Reverse engineering Predictive analytics Deep penetration Machine Learning Publications Publications Blogs, whitepapers, Top-tier academic articles, training courses conferences and patents Notable Research Backers 8
    8. 8. Damballa® FirstAlert Cyber Threat Intelligence Malware ISP Sharing Feeds DNS Reputation Feature Harvesters Telco Systems Extractors Malware Mobile Drive-by DNS Correlation Predictive DNS URI Engines Systems Corporate HoneyPot Malware PCAP DNS Email URI DNS URI External Data Feeds Mobile HoneyPot Registry Drive-by Blacklists 9
    9. 9. Emerging Threat Discovery Predictive Predictive Analysis Systems Threat growth characteristics and C&C structure are visible (and unique) at the DNS level.Victims Possible to identify new C&C infrastructure prior to malware being captured and analyzed Damballa detects threat Malware continues to weeks/months before evade signature-based malware is detected detection Weeks Set-up Early Testing Attack Launched Malware First Malware Updated 10 Discovered
    10. 10. Damballa® Failsafe Enterprise Assets DNS Proxy Egress Damballa Sensor(s) Deep Packet Inspection of All Internet Traffic Damballa Cyber Threat Intelligence f Is the destination shady? • Suspicious destination, low reputation or known bad Correlation of Is the traffic suspicious? ‘behaviors seen’ • Suspicious content, DPI of payload / executables / files pinpoints infected Is the behavior automated? devices • Do the events appear to be software or human driven Damballa Failsafe identifies the ‘unknown’ threat, victim machines actively communicating with cyber criminals. 11
    11. 11. Actionable Intelligence Victims Threats Threat ActivityIdentified Classified Qualified Threat Conviction Engine - Correlates Behaviors Seen DNS queries to suspicious destinations? Threat Domain fluxing? Conviction Score Egress connection attempts? (1-100) Proxy connection attempts? Non-human behavior? Suspicious binary downloads? f(x) 12
    12. 12. Actionable Intelligence Victims Relative Risk Threats Threat ActivityIdentified Assessed Classified Qualified Asset Risk Factor - relative risk posed by infected device Bytes In Receiving instructions, updates, malware being repurposed? Local Bytes Out Indicative of the amount of data stolen? Local Connection Attempts How frequently is the asset communicating with a C&C? Local Category Where does the asset sit / who does it belong to? Local # of Threats Is the asset compromised with more than one threat? Local Severity What is the risk of the threat? Global AV Coverage For a specific threat, what is my relative AV coverage? Global f(x) 13
    13. 13. Actionable Intelligence Victims Relative Risk Threats Threat ActivityIdentified Assessed Classified Qualified Full forensics for all behaviors seen Full Forensics • All Events in Sequence • Full PCAPs for malicious traffic • Malicious malware captured • Malware trace reports (host and network behaviors) • Bytes in / Bytes out • Ports / Traffic type • Connection status (failed, proxy blocked, completed) • Category and priority of risk of endpoint • Threat operator profile • Endpoint compromise history • Geo-location of C&C 14
    14. 14. Identifying Zero Day Malware 1 Identify Suspicious Files in Motion 2 Cloud Interrogation of Suspicious FilesBehaviors Seen & Benefits Behaviors Seen & BenefitsSuspicious files in motion Full malware lifecycleMalicious structure Network & host behaviorsSource / URI identification AV scanner resultsUnique victim enumeration Extensive dynamic analysisInitial threat assessment Ongoing trace report updatesZero day files captured Behaviors feed Damballa Labs Full Malware Forensics Report in 3 the Damballa Failsafe Console 15
    15. 15. Identifying Criminal Communication Behaviors Seen & Benefits Malicious DNS queries DNS Domain fast-fluxing detection DNS C&C Location New domain queries Recursive Authoritative Unique victim enumeration Victim Detection prior to egress Configuration File DNS query termination Dynamic Generation Firewall Algorithm (DGA) Egress C&C Criminal Server TCP/IP Session Proxy FilteringBehaviors Seen & Benefits Behaviors Seen & BenefitsC&C connection behaviors/success C&C connection behaviors/successURI identification (incl. HTTPS) URI identification (incl. HTTPS)Malicious file identification (Malware) Malicious file identification (Malware)Unique victim enumeration Unique victim enumerationDetection prior to egress Bytes-in & bytes-out monitoringFull packet capture Full packet captureSession termination Session termination 16
    16. 16. Protection From The ‘Unknown’ Threat Enables rapid, automated incident response • Rapid and positive identification of compromised assets • Asset Risk Factor and Threat Conviction Scores prioritize response • Terminate malicious communications and/or sinkhole DNS requests Provides comprehensive threat protection • Platform agnostic: Windows, Linux, Apple, Android, Blackberry • Leading academic research and advanced threat intelligence Force multiplier for over-tasked security teams • No more manual analysis of millions of lines of logs and false alerts • Automated aggregation and assessment of evidence/forensics: - Automatically Identifies the infection, threat and risk - Provides actionable intelligence • Security teams can focus on improving policies and threat defense 17
    17. 17. Competition and Value Proposition Damballa’s unique strengths include: Our solution has the ability to scale much better than our competition. Our standard sensor handles 2 gbs. We detect emerging threats and protect our customers even before the malware is ever discovered and analysed by our competition. We have a lower false positive rate than our competition and detect accurately more threats. 18
    18. 18. 19
    19. 19. Advanced Malware Infection CycleCriminal Command & ControlMultiple C&C proxies/Separate C&C portalsMalware updates Download Payload Updater SiteUpdates to list of C&C’s Downloader Host malware agent(s) Confirm installationAgent integrity checking Agent selection criteriaLocking ofIs this ato victim agent real machine? Whitelisted repositories Have I seen it before?Remote access & control Unique malware agent Update malware location Data Repository RepositoryDropper(s) Logging of install successes C&C Portals Encrypted files from victim Stolen passwords & PII Post Unpack Disable local security Post Agent Install Prevent updates/patches Delete dropper/installer Inventory victim C&C Proxies Clear logs & events Catalogue & inventory Dropper unpacks on the Malware is Victim machine and runs updated/customized Victim 20
    20. 20. Advanced Malware Infection Cycle Damballa Failsafe monitors network traffic and correlates suspicious ‘behaviors seen’ to rapidly identify assets under criminal control, and stop data theft due to malware breaches. Downloader RepositoryDropper(s) C&C Portals C&C Proxies Dropper unpacks on the Malware is Victim machine and runs updated/customized Victim 21

    ×