Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline

969 views

Published on

Published in: Software
  • Login to see the comments

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline

  1. 1. Reacting to Advanced, Unknown Attacks in Real-Time with Lastline Engin Kirda // engin@lastline.com Ph.D., Prof., Co-Founder & Chief Architect, Lastline www.lastline.com
  2. 2. Me • Professor at Northeastern University, Boston – started malware research in about 2004 – Helped build and release popular malware analysis and detection systems (Anubis, Exposure, …) • Co-founder of Lastline, Inc. – Lastline offers protection against zero-day threats and advanced malware – Commercialization of many years of advanced research Copyright ©2014 Lastline, Inc. All rights reserved. 2
  3. 3. Overview of This Talk • Introduction to the Problem • Evasive Malware (Backoff examples) • Automatically Mitigating Breaches • Conclusion Copyright ©2014 Lastline, Inc. All rights reserved. 3
  4. 4. Cyberattack (R)Evolution Targeted Attacks and Cyberwar !!! Time $$ Damage Billions Millions Hundreds of Thousands Thousands Hundreds Cybercrime Cybervandalism $$$ #@! Copyright ©2014 Lastline, Inc. All rights reserved. 4
  5. 5. Online Crime is a Business • Klikparty, 2007 Copyright ©2014 Lastline, Inc. All rights reserved. 5
  6. 6. Online Crime is a Business • Klikparty, 2007 Copyright ©2014 Lastline, Inc. All rights reserved. 6
  7. 7. Malware is a Problem of Scale … Copyright ©2014 Lastline, Inc. All rights reserved. 7
  8. 8. … and Sophistication Current solutions fail to protect organizations from sophisticated, targeted attacks. Simple Threats Opportunistic Attacks APT Solutions Antivirus Solutions Security Gap Targeted Attacks Packing Sophisticated Threats Plain Virus Poly-morphic C&C Fluxing Persistent Threats Evasive Threats Copyright ©2014 Lastline, Inc. All rights reserved. 8
  9. 9. Lastline Labs AV Vendor Review Antivirus systems take months to catch up to highly evasive threats. Copyright ©2014 Lastline, Inc. All rights reserved. 9
  10. 10. You’ve Probably Read This: Recent Payment Breaches • The last year has seen a dramatic escalation in the number of breached PoS systems • Many of these PoS payloads, like Backoff, evaded installed defenses and alarms • In few cases an early alarm was received, but it was ignored since indistinguishable from the background noise. Copyright ©2014 Lastline, Inc. All rights reserved. 10
  11. 11. What is Backoff? • Malware used in numerous breaches in the last year • Secret Service currently estimates 1,000+ U.S. businesses affected • Targeted to PoS systems • Evades analysis Copyright ©2014 Lastline, Inc. All rights reserved. 11
  12. 12. What is Backoff? [1 Slide Summary from Kyle] • Product screenshot? • Mention evasive behaviors exhibited Copyright ©2014 Lastline, Inc. All rights reserved. 12
  13. 13. What is Backoff? • Timing evasion (an anti-VM technique) • Utilizes code obfuscation • Also uses rare and poorly emulated instructions to defeat simple emulators • Attempts to encrypt parts of the command and control traffic Copyright ©2014 Lastline, Inc. All rights reserved. 13
  14. 14. How are the attackers deploying it? • Scan for Internet facing Remote Desktop applications • Brute force login credentials • Often successfully find administrative credentials • Use admin credentials to deploy Backoff to remote PoS systems Copyright ©2014 Lastline, Inc. All rights reserved. 14
  15. 15. Understanding Evasive Malware Malware authors are not stupid • Clearly, they got the news that sandboxes are all the rage now • since the code is executed, malware authors have options Evasion defined • Develop code that exhibits no malicious behavior in a traditional sandbox, but still infects the intended target • Can be achieved in a variety of ways… Copyright ©2014 Lastline, Inc. All rights reserved. 15
  16. 16. Understanding Evasive Malware • Malware can detect underlying runtime environment – differences between virtualized and bare metal environment – checks based on system (CPU) features – artifacts in the operating system • Malware can detect signs of specific analysis environments – checks based on operating system artifacts (files, processes, …) • Malware can avoid being analyzed – tricks in making code run that analysis system does not see – wait until someone clicks something – time out analysis before any interesting behaviors are revealed – simple sleeps, but more sophisticated implementations possible Copyright ©2014 Lastlin1e6, Inc. All rights reserved.
  17. 17. 3 Ways to Build a Sandbox Not all sandbox solutions can detect highly evasive malware. Copyright ©2014 Lastline, Inc. All rights reserved. 17
  18. 18. Virtualized Sandboxing vs. Full System Emulation Even APT Solutions with virtualized sandboxing fail to detect highly evasive malware. Copyright ©2014 Lastline, Inc. All rights reserved. 18
  19. 19. Lastline Platform Components Sensor Analyzes network, email, web, and mobile traffic. Detects callbacks and extracts objects for advanced malware analysis and stops cyber threats. Manager Correlates low-level threat events into high-level network incident views of network and object activity. Engine Analyzes objects with a next-generation sandbox using full-system emulation. This approach allows for greater visibility into advanced malware. Threat Intel Offers a rich knowledge base of malicious network sources and objects containing advanced cyber threats built through machine learning, web crawling, emulated browsers, automated and dynamic techniques. API Provides ability to submit objects for advanced malware analysis from any third-party sensor or system, queries the Threat Intelligence and displays pertinent threat information. software software software subscription software Copyright ©2014 Lastline, Inc. All rights reserved. 19
  20. 20. Lastline Enterprise On-Premise Suitable for those environments with tight requirements in terms of privacy and compliance. Customers may decide to share anonymous information with the Lastline Labs Copyright ©2014 Lastline, Inc. All rights reserved. 20
  21. 21. Lastline Enterprise Hosted Suitable for those customers who want to minimize the operational effort Copyright ©2014 Lastline, Inc. All rights reserved. 21
  22. 22. Technology Plays a Crucial Role but… • Deploying an advanced solution to detect and mitigate a breach is a crucial input for the breach detection process • However, to fully leverage the detection capabilities, the platform must be easily integrated into an organization from both a technology and a process perspective Copyright ©2014 Lastline, Inc. All rights reserved. 22
  23. 23. It’s Part of a Multi-Phase Process Copyright ©2014 Lastline, Inc. All rights reserved. Assess the Environment Deploy the Components Correlate the Information Share the Actionable Threat Intelligence Automatically Enforce Countermeasures • Who, when, where, how? • Avoid the “Target Syndrome”; • Build a process that is incident-based rather then event-based; • Deploy a Scalable Architecture; • Provide a comprehensive coverage in terms of attack vectors; Reduce the TCO and boost the ROI; • Quickly and Seamlessly adapt to changes; • Provide multi-dimensional actionable threat intelligence; • Feed Automated Systems (SIEM, Trouble Ticketing); • Identify reliable IOCs • Use the correlated information to quickly enforce countermeasures 23
  24. 24. Correlate the Information Copyright ©2014 Lastline, Inc. All rights reserved. • Lastline Enterprise Platform provides an incident-centric view, rather then an event-centric view • Single events are post-processed and summarized into high-level incidents 28
  25. 25. Correlate the Information Copyright ©2014 Lastline, Inc. All rights reserved. Stage 1: Connection to the Drive-By Site Stage 3: Malicious C&C connections Stage 2: Malicious Binary Download Everything correlated into a single incident Security Analysts look at a single incident rather than 4 separated events Result of the correlation process: Drive-by + Malicious Binary Download = ------------------------------------ Endpoint successfully compromised! 29
  26. 26. Share the Actionable Threat Intelligence • The post-processed information can be exported to external devices • For further integration, Lastline API can be easily integrated with existing security infrastructures • SWGs (Secure Web Gateways), IPSs (Intrusion Protection System), NGFWs (Next-Generation Firewalls) and SIEM (Security Information Event Management) installations can all interoperate seamlessly with Lastline Enterprise Copyright ©2014 Lastline, Inc. All rights reserved. 30
  27. 27. Providing Multi-Dimensional Information… • The information provided by the Lastline Enterprise reports can be used at different levels  Operational level: extract the information to contain and mitigate the breach  Analytical level: perform post-mortem forensic analysis Copyright ©2014 Lastline, Inc. All rights reserved. 31
  28. 28. Detailed Information for Security Analysts Copyright ©2014 Lastline, Inc. All rights reserved. Security Analysts can extract the Process Dumps and analyse them on Ida PRO It is also possible to derive reliable IoC. 32
  29. 29. Automatically Mitigating the Breach User n User 1 Exploit Site C&C Site 1 2 3 5 Feedback To Global Threat Intelligence User 2 4 Copyright ©2014 Lastline, Inc. All rights reserved. 33
  30. 30. • The sensor detects an advanced threat for the organization • The artifact is analyzed by the Lastline Engine leveraging full system emulation • The manager triggers an alert using post processing and correlation to ensure it is displayed with the right priority; • The information can be automatically transmitted in real time to the third parties products part of the Lastline Defense Program, or virtually to any other technology by means of the Lastline API • Other occurrences of the same threats are immediately detected and blocked Copyright ©2014 Lastline, Inc. All rights reserved. 1 2 3 4 5 Mitigating the Breach 34
  31. 31. Thank You! For more information visit www.lastline.com or contact us at info@lastline.com.

×