SlideShare a Scribd company logo

InfoSecurity Europe 2017 - On The Hunt for Advanced Attacks? C&C Channels are a Good Place to Start

Download as PPTX, PDF
Moshe Zioni
Moshe Zioni

Why are Command and Control (C&C) communications so significant to detecting advanced threats and how should you go about detecting them? We’ll discuss the various pitfalls of the traditional methods of detecting C&C and specifically those currently based on machine learning. Machine Learning must be structured, designed and delivered in exactly the right way to deliver impact for detection of advanced threats. The session will introduce our approach, which has significantly improved both detection rates and efficiency. We’ll discuss several test cases and the lessons we’ve learned over time. Learning Outcomes: Learn why Command and Control monitoring is the key to detecting advanced threats Uncover pitfalls of the current approaches to C&C detection Understand Machine Learning and it's role in detecting malicious activity Understand the potential dangers of the wrong machine learning approach Learn about the impact a new supervised learning approach can have – in both theory and practice

Internet
1 of 25
Moshe Zioni ( @dalmoz_ ) Security Research Manager, VERINT On the Hunt for Advanced Attacks? C&C Channels are a Good Place to Start
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START • Why focus on C&C? • C&C - Landscape • Trends in C&C implementations • Traditional Approaches • Our approach • Limitations • Proof-of-Concept results • Takeaways • Q&A On The Agenda
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START • Moshe Zioni ( @dalmoz_ ) • Leading a terrific group of talented researches at • Researching and developing cutting-edge, next generation detection engines for malicious activity on very big enterprises and ISPs. • Credit & Kudos goes to the Research team, especially to Eddie, Maria, Meir, Oren and Vadim, and to the Analysis team. WHOAMI – credits & kudos
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START • Always present (almost) • Network interception is practical, contrast to other detection methods/layers • While malware tends to be polymorphic, communication protocol does not • An old problem – • Current schemes of detection are not so promising on detecting the ‘new’. • Traditional tactics rely heavily on somewhat naïve comparison. Why focus on C&C channels?
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START C&C landscape DNS 9% HTTP 62% ICMP 5% NATIVE 14% P2P 10% Distribution of Protocols DNS HTTP ICMP NATIVE P2P Name Method Dridex P2P, HTTP Nano Locker ICMP Poisn Ivy HTTP FLAME HTTP CITADEL HTTP Bergard HTTP Vawtrack URLZONE HTTP BlackMoon HTTP Wekby DNS ZeUS (GOZ) HTTP (P2P) DORKBOT HTTP SIMDA NATIVE + HTTP REGIN NATIVE (TCP + UDP ) +ICMP + HTTP SOUNDFIX-11 HTTP JAKUcalc HTTP /NATIVE TCP / DNS TrickBot HTTP GOZNYM P2P
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Trends in C&C implementations Rapid, fast to respond, evolution Encryption of transmissions and payload Encapsulation of transmissions Steganography of messages P2P – Forget about SPOF
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Traditional Approaches • Blacklists/ known patterns • Constantly needs upkeep and maintenance • Low False Positive • Forever rely Intelligence and Analysis • Not suitable at all to find ‘unknown’ schemes • High False Negative • Markov models • ARMA • Baseline comparison • Assuming normal traffic differ, in statistic modelling, of malicious traffic, might reveal novel schemes • This assumption is failing many times in current trends. • High False Positive Rate Signature based detection Anomaly based detection
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Our approach Choosing an alternate path
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START What Do We Need? We need something robust, that can “think” of many possibilities. Rely on what we do know and induce further. Fast (polynomial) results. MACHINE LEARNING - For The Win!
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Enter Machine Learning Machine Learning is the science of providing a computer with the ability to “learn” by example and teach itself to find patterns. There are many methods of ML – each one has its pros and cons. The model ‘learns’ from known, classified data, and extrapolate to achieve even nontrivial results. (for a human) Evolved from Pattern Recognition and Artificial Intelligence studies.
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Supervised Learning Rely on labelled training data. Collection is key for optimized model and for reducing error levels Data sample set should be comprised of encompassing, diverse and relevant data. We used Decision Tree-Random Forest based Supervised learning
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Feature Extraction SUIT TIE CHARM SMILE BAD-TEETH CAT CLASS
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Feature Extraction SUIT TIE CHARM SMILE BAD-TEETH CAT CLASS
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Feature Extraction SUIT TIE CHARM SMILE BAD-TEETH CAT CLASS
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Feature Extraction SUIT TIE CHARM SMILE BAD-TEETH CAT CLASS
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Session • Time differences • # of bytes • How many requests got an answer? • How much time it took to get an answer? TCP • 5-Tuple information • Protocol • IP Payload • Handshake data • Flags • Flow count Feature selection in TCP/HTTP Protocol specific - HTTP: • What is the length of the host name? • Body length • # of unique URI calls within the session • # of “user agent” strings used & values • How many file types were downloaded? • What is the average status code? • What is the avg. length of the URI? • Number of parameters SSL/TLS • Certificate metadata • Negotiatied cipher-suite
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Appropriate data collection and feature engineering is crucial for a proper, effective, model Machine learning results are hard to interpret – most of the times the question of ‘How did the machine decided that is malicious traffic?!’ - Is not straight-forwardly answered. Do not succumb to overfitting. (e.g. params/samples >> 1) But, first
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START In-the-Wild POC Sample Results
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START POST /some/uri.php HTTP/1.1 layer=cXJjb3JtYUJxamNwaW5jcWdwcSxhbW8=&dimm=Pl dRR1A8YG12bGd2XW9ja25ncD4tV1FHUDwIPkxDT0c8IG9ja25ncGB teiA+LUxDT0c8CD5RV0BIPHFyY28iYG12bGd2ImtsImNhdmttbD4tU VdASDwIPlFATUZbPAhWamtxIm9ncXFjZWcidWNxInFnbHYiZHBtbyJj ImFtb3JwbW9rcWdmIm9jYWprbGcsCD4tU UBNRls8&err=1 (Source: Akamai) Spamtorte – old version comm.
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Old version body contents: layer=cXJjb3JtYUJxamNwaW5jcWdwcSxhbW8=&dimm=Pl dRR1A8YG12bGd2XW9ja25ncD4tV1FHUDwIPkxDT0c8IG9ja25ncGBteiA+LUxDT0c 8CD5RV0BIPHFyY28iYG12bGd2ImtsImNhdmttbD4tUVdASDwIPlFATUZbPAhWamtxIm9ncXFjZWcidWNxInFnbHYiZHBtbyJjI mFtb3JwbW9rcWdmIm9jYWprbGcsCD4tU UBNRls8&err=1 (Source: Akamai) New version POST Request body contents: (keeping the first letter and randomizing, 2-5 chars each) ljj=Y24sZXBnZ2xnNTs1OyxjZUJlb2NrbixhbW8hY2hY24sZXdjcGZCbmdjdGt2dixhb W8hY24sZXdY2tuLGFtbyFjbixld2tjcGZCam12b2NrbixkcCFjbixld2tjcGZCbmNybXF2 ZyxsZ3YhY24sZXdrYG10a2FqQmVvY2tuLGFtbw3%3D&dhgxbg=PldRR1A8Zm1sY2 5mcW1sNDQ6Pi1XUUdrcWo9Ij5gcDwiPmBwPCJwZ3JueyJvZyJrZCJ7bXcidW13bm YibmtpZyJ2bSJxZ2cib3sicmptdm1xLCJRZ2cie21&ejv=o Spamtorte - version comparison
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Spamtorte – Malware Upgrades Filename MD5 Size OLD (32bit version) 1faf27f6b8e8a9cadb611f668a01cf73 47,509 OLD (64bit version) cb0477445fef9c5f1a5b6689bbfb941e 52,515 NEW (32bit version) c547177e6f8b2cb8be26185073d64edc 87,875 NEW (64bit version) d04c492a5b78516a7a36cc2e1e8bf521 95,063
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Spamtorte - what made the machine spot it?? Relevant samples were from several sources, found to be “similar” to: CryptoWall TeslaCrypt
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START SpamTorte v2: http://cyber.verint.com/spamtorte-version-2/ Getting a hold of the details: Extra! http://cyber.verint.com/nymaim-malware-variant/
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Key takeaways Traditional schemes are not relevant for the goal of APT detection Machine Learning is key for uncovering unknown malicious traffic Collection is gold and should be considered the most crucial part of the operation, if not – may lead to very error-prone models C&C comms. are becoming rapidly encrypted (exp. Features)
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Thank You Visit us at booth #G160!

Recommended

MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
Moshe Zioni
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructurePhreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Dan Kaminsky
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
Dan Kaminsky
 
How to deliver rich, real-time apps - AppsWorld 2014
How to deliver rich, real-time apps - AppsWorld 2014How to deliver rich, real-time apps - AppsWorld 2014
How to deliver rich, real-time apps - AppsWorld 2014
Andy Piper
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japan
Dan Kaminsky
 
Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017
APNIC
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting AutomationBiting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Alex Pinto
 

Recommended

MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
Moshe Zioni
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructurePhreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Dan Kaminsky
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
Dan Kaminsky
 
How to deliver rich, real-time apps - AppsWorld 2014
How to deliver rich, real-time apps - AppsWorld 2014How to deliver rich, real-time apps - AppsWorld 2014
How to deliver rich, real-time apps - AppsWorld 2014
Andy Piper
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japan
Dan Kaminsky
 
Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017
APNIC
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting AutomationBiting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Alex Pinto
 
雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超
雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超
雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超
台灣資料科學年會
 
WEEK-01.pdf
WEEK-01.pdfWEEK-01.pdf
WEEK-01.pdf
Infraj1Circle
 
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tDefcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
pseudor00t overflow
 
Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01
Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01
Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01
MapR Technologies
 
4Developers 2015: Measure to fail - Tomasz Kowalczewski
4Developers 2015: Measure to fail - Tomasz Kowalczewski4Developers 2015: Measure to fail - Tomasz Kowalczewski
4Developers 2015: Measure to fail - Tomasz Kowalczewski
PROIDEA
 
Measure to fail
Measure to failMeasure to fail
Measure to fail
Tomasz Kowalczewski
 
Using Time Series for Full Observability of a SaaS Platform
Using Time Series for Full Observability of a SaaS PlatformUsing Time Series for Full Observability of a SaaS Platform
Using Time Series for Full Observability of a SaaS Platform
DevOps.com
 
Slides: How Automating Data Lineage Improves BI Performance
Slides: How Automating Data Lineage Improves BI PerformanceSlides: How Automating Data Lineage Improves BI Performance
Slides: How Automating Data Lineage Improves BI Performance
DATAVERSITY
 
Towards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity ModelTowards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity Model
Alex Pinto
 
StackStorm DevOps Automation Webinar
StackStorm DevOps Automation WebinarStackStorm DevOps Automation Webinar
StackStorm DevOps Automation Webinar
StackStorm
 
PinTrace Advanced AWS meetup
PinTrace Advanced AWS meetup PinTrace Advanced AWS meetup
PinTrace Advanced AWS meetup
Suman Karumuri
 
Anomaly Detection and You
Anomaly Detection and YouAnomaly Detection and You
Anomaly Detection and You
Mary Kelly Rich
 
Strata 2014 Anomaly Detection
Strata 2014 Anomaly DetectionStrata 2014 Anomaly Detection
Strata 2014 Anomaly Detection
Ted Dunning
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
Hogy néz ki egy pentest meló a gyakorlatban?
Hogy néz ki egy pentest meló a gyakorlatban?Hogy néz ki egy pentest meló a gyakorlatban?
Hogy néz ki egy pentest meló a gyakorlatban?
hackersuli
 
SANOG 33: Why is securing the Internet's routing system so hard
SANOG 33: Why is securing the Internet's routing system so hardSANOG 33: Why is securing the Internet's routing system so hard
SANOG 33: Why is securing the Internet's routing system so hard
APNIC
 
What we can learn from CDNs about Web Development, Deployment, and Performance
What we can learn from CDNs about Web Development, Deployment, and PerformanceWhat we can learn from CDNs about Web Development, Deployment, and Performance
What we can learn from CDNs about Web Development, Deployment, and Performance
Fastly
 
Everybody Lies
Everybody LiesEverybody Lies
Everybody Lies
Tomasz Kowalczewski
 
Velocity 2016 Speaking Session - Using Machine Learning to Determine Drivers ...
Velocity 2016 Speaking Session - Using Machine Learning to Determine Drivers ...Velocity 2016 Speaking Session - Using Machine Learning to Determine Drivers ...
Velocity 2016 Speaking Session - Using Machine Learning to Determine Drivers ...
SOASTA
 
Using machine learning to determine drivers of bounce and conversion
Using machine learning to determine drivers of bounce and conversionUsing machine learning to determine drivers of bounce and conversion
Using machine learning to determine drivers of bounce and conversion
Tammy Everts
 
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
APNIC
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
meghakumariji156
 

More Related Content

Similar to InfoSecurity Europe 2017 - On The Hunt for Advanced Attacks? C&C Channels are a Good Place to Start

4Developers 2015: Measure to fail - Tomasz Kowalczewski
4Developers 2015: Measure to fail - Tomasz Kowalczewski4Developers 2015: Measure to fail - Tomasz Kowalczewski
4Developers 2015: Measure to fail - Tomasz Kowalczewski
PROIDEA
 
Measure to fail
Measure to failMeasure to fail
Measure to fail
Tomasz Kowalczewski
 
Slides: How Automating Data Lineage Improves BI Performance
Slides: How Automating Data Lineage Improves BI PerformanceSlides: How Automating Data Lineage Improves BI Performance
Slides: How Automating Data Lineage Improves BI Performance
DATAVERSITY
 
Towards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity ModelTowards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity Model
Alex Pinto
 
PinTrace Advanced AWS meetup
PinTrace Advanced AWS meetup PinTrace Advanced AWS meetup
PinTrace Advanced AWS meetup
Suman Karumuri
 
Anomaly Detection and You
Anomaly Detection and YouAnomaly Detection and You
Anomaly Detection and You
Mary Kelly Rich
 
Everybody Lies
Everybody LiesEverybody Lies
Everybody Lies
Tomasz Kowalczewski
 

Similar to InfoSecurity Europe 2017 - On The Hunt for Advanced Attacks? C&C Channels are a Good Place to Start (20)

雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超
雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超
雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超
 
WEEK-01.pdf
WEEK-01.pdfWEEK-01.pdf
WEEK-01.pdf
 
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tDefcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
 
Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01
Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01
Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01
 
4Developers 2015: Measure to fail - Tomasz Kowalczewski
4Developers 2015: Measure to fail - Tomasz Kowalczewski4Developers 2015: Measure to fail - Tomasz Kowalczewski
4Developers 2015: Measure to fail - Tomasz Kowalczewski
 
Measure to fail
Measure to failMeasure to fail
Measure to fail
 
Using Time Series for Full Observability of a SaaS Platform
Using Time Series for Full Observability of a SaaS PlatformUsing Time Series for Full Observability of a SaaS Platform
Using Time Series for Full Observability of a SaaS Platform
 
Slides: How Automating Data Lineage Improves BI Performance
Slides: How Automating Data Lineage Improves BI PerformanceSlides: How Automating Data Lineage Improves BI Performance
Slides: How Automating Data Lineage Improves BI Performance
 
Towards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity ModelTowards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity Model
 
StackStorm DevOps Automation Webinar
StackStorm DevOps Automation WebinarStackStorm DevOps Automation Webinar
StackStorm DevOps Automation Webinar
 
PinTrace Advanced AWS meetup
PinTrace Advanced AWS meetup PinTrace Advanced AWS meetup
PinTrace Advanced AWS meetup
 
Anomaly Detection and You
Anomaly Detection and YouAnomaly Detection and You
Anomaly Detection and You
 
Strata 2014 Anomaly Detection
Strata 2014 Anomaly DetectionStrata 2014 Anomaly Detection
Strata 2014 Anomaly Detection
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
 
Hogy néz ki egy pentest meló a gyakorlatban?
Hogy néz ki egy pentest meló a gyakorlatban?Hogy néz ki egy pentest meló a gyakorlatban?
Hogy néz ki egy pentest meló a gyakorlatban?
 
SANOG 33: Why is securing the Internet's routing system so hard
SANOG 33: Why is securing the Internet's routing system so hardSANOG 33: Why is securing the Internet's routing system so hard
SANOG 33: Why is securing the Internet's routing system so hard
 
What we can learn from CDNs about Web Development, Deployment, and Performance
What we can learn from CDNs about Web Development, Deployment, and PerformanceWhat we can learn from CDNs about Web Development, Deployment, and Performance
What we can learn from CDNs about Web Development, Deployment, and Performance
 
Everybody Lies
Everybody LiesEverybody Lies
Everybody Lies
 
Velocity 2016 Speaking Session - Using Machine Learning to Determine Drivers ...
Velocity 2016 Speaking Session - Using Machine Learning to Determine Drivers ...Velocity 2016 Speaking Session - Using Machine Learning to Determine Drivers ...
Velocity 2016 Speaking Session - Using Machine Learning to Determine Drivers ...
 
Using machine learning to determine drivers of bounce and conversion
Using machine learning to determine drivers of bounce and conversionUsing machine learning to determine drivers of bounce and conversion
Using machine learning to determine drivers of bounce and conversion
 

Recently uploaded

Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
gajnagarg
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Monica Sydney
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
ayvbos
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Priya Reddy
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
ayvbos
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
EleniIlkou
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
F
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
F
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
Monica Sydney
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
ydyuyu
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
ydyuyu
 

Recently uploaded (20)

APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53APNIC Updates presented by Paul Wilson at ARIN 53
APNIC Updates presented by Paul Wilson at ARIN 53
 
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime BalliaBallia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
Ballia Escorts Service Girl ^ 9332606886, WhatsApp Anytime Ballia
 
20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf20240508 QFM014 Elixir Reading List April 2024.pdf
20240508 QFM014 Elixir Reading List April 2024.pdf
 
Trump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts SweatshirtTrump Diapers Over Dems t shirts Sweatshirt
Trump Diapers Over Dems t shirts Sweatshirt
 
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac RoomVip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
Vip Firozabad Phone 8250092165 Escorts Service At 6k To 30k Along With Ac Room
 
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
Top profile Call Girls In Dindigul [ 7014168258 ] Call Me For Genuine Models ...
 
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
best call girls in Hyderabad Finest Escorts Service 📞 9352988975 📞 Available ...
 
Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.Meaning of On page SEO & its process in detail.
Meaning of On page SEO & its process in detail.
 
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi EscortsRussian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
Russian Escort Abu Dhabi 0503464457 Abu DHabi Escorts
 
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
一比一原版(Flinders毕业证书)弗林德斯大学毕业证原件一模一样
 
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call GirlsMira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
Mira Road Housewife Call Girls 07506202331, Nalasopara Call Girls
 
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
一比一原版(Curtin毕业证书)科廷大学毕业证原件一模一样
 
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
2nd Solid Symposium: Solid Pods vs Personal Knowledge Graphs
 
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
20240507 QFM013 Machine Intelligence Reading List April 2024.pdf
 
一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理一比一原版奥兹学院毕业证如何办理
一比一原版奥兹学院毕业证如何办理
 
一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理一比一原版田纳西大学毕业证如何办理
一比一原版田纳西大学毕业证如何办理
 
Call girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girlsCall girls Service in Ajman 0505086370 Ajman call girls
Call girls Service in Ajman 0505086370 Ajman call girls
 
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
原版制作美国爱荷华大学毕业证(iowa毕业证书)学位证网上存档可查
 
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime NagercoilNagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
Nagercoil Escorts Service Girl ^ 9332606886, WhatsApp Anytime Nagercoil
 
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查在线制作约克大学毕业证(yu毕业证)在读证明认证可查
在线制作约克大学毕业证(yu毕业证)在读证明认证可查
 

InfoSecurity Europe 2017 - On The Hunt for Advanced Attacks? C&C Channels are a Good Place to Start

  • 1. Moshe Zioni ( @dalmoz_ ) Security Research Manager, VERINT On the Hunt for Advanced Attacks? C&C Channels are a Good Place to Start
  • 2. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START • Why focus on C&C? • C&C - Landscape • Trends in C&C implementations • Traditional Approaches • Our approach • Limitations • Proof-of-Concept results • Takeaways • Q&A On The Agenda
  • 3. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START • Moshe Zioni ( @dalmoz_ ) • Leading a terrific group of talented researches at • Researching and developing cutting-edge, next generation detection engines for malicious activity on very big enterprises and ISPs. • Credit & Kudos goes to the Research team, especially to Eddie, Maria, Meir, Oren and Vadim, and to the Analysis team. WHOAMI – credits & kudos
  • 4. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START • Always present (almost) • Network interception is practical, contrast to other detection methods/layers • While malware tends to be polymorphic, communication protocol does not • An old problem – • Current schemes of detection are not so promising on detecting the ‘new’. • Traditional tactics rely heavily on somewhat naïve comparison. Why focus on C&C channels?
  • 5. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START C&C landscape DNS 9% HTTP 62% ICMP 5% NATIVE 14% P2P 10% Distribution of Protocols DNS HTTP ICMP NATIVE P2P Name Method Dridex P2P, HTTP Nano Locker ICMP Poisn Ivy HTTP FLAME HTTP CITADEL HTTP Bergard HTTP Vawtrack URLZONE HTTP BlackMoon HTTP Wekby DNS ZeUS (GOZ) HTTP (P2P) DORKBOT HTTP SIMDA NATIVE + HTTP REGIN NATIVE (TCP + UDP ) +ICMP + HTTP SOUNDFIX-11 HTTP JAKUcalc HTTP /NATIVE TCP / DNS TrickBot HTTP GOZNYM P2P
  • 6. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Trends in C&C implementations Rapid, fast to respond, evolution Encryption of transmissions and payload Encapsulation of transmissions Steganography of messages P2P – Forget about SPOF
  • 7. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Traditional Approaches • Blacklists/ known patterns • Constantly needs upkeep and maintenance • Low False Positive • Forever rely Intelligence and Analysis • Not suitable at all to find ‘unknown’ schemes • High False Negative • Markov models • ARMA • Baseline comparison • Assuming normal traffic differ, in statistic modelling, of malicious traffic, might reveal novel schemes • This assumption is failing many times in current trends. • High False Positive Rate Signature based detection Anomaly based detection
  • 8. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Our approach Choosing an alternate path
  • 9. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START What Do We Need? We need something robust, that can “think” of many possibilities. Rely on what we do know and induce further. Fast (polynomial) results. MACHINE LEARNING - For The Win!
  • 10. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Enter Machine Learning Machine Learning is the science of providing a computer with the ability to “learn” by example and teach itself to find patterns. There are many methods of ML – each one has its pros and cons. The model ‘learns’ from known, classified data, and extrapolate to achieve even nontrivial results. (for a human) Evolved from Pattern Recognition and Artificial Intelligence studies.
  • 11. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Supervised Learning Rely on labelled training data. Collection is key for optimized model and for reducing error levels Data sample set should be comprised of encompassing, diverse and relevant data. We used Decision Tree-Random Forest based Supervised learning
  • 12. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Feature Extraction SUIT TIE CHARM SMILE BAD-TEETH CAT CLASS
  • 13. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Feature Extraction SUIT TIE CHARM SMILE BAD-TEETH CAT CLASS
  • 14. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Feature Extraction SUIT TIE CHARM SMILE BAD-TEETH CAT CLASS
  • 15. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Feature Extraction SUIT TIE CHARM SMILE BAD-TEETH CAT CLASS
  • 16. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Session • Time differences • # of bytes • How many requests got an answer? • How much time it took to get an answer? TCP • 5-Tuple information • Protocol • IP Payload • Handshake data • Flags • Flow count Feature selection in TCP/HTTP Protocol specific - HTTP: • What is the length of the host name? • Body length • # of unique URI calls within the session • # of “user agent” strings used & values • How many file types were downloaded? • What is the average status code? • What is the avg. length of the URI? • Number of parameters SSL/TLS • Certificate metadata • Negotiatied cipher-suite
  • 17. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Appropriate data collection and feature engineering is crucial for a proper, effective, model Machine learning results are hard to interpret – most of the times the question of ‘How did the machine decided that is malicious traffic?!’ - Is not straight-forwardly answered. Do not succumb to overfitting. (e.g. params/samples >> 1) But, first
  • 18. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START In-the-Wild POC Sample Results
  • 19. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START POST /some/uri.php HTTP/1.1 layer=cXJjb3JtYUJxamNwaW5jcWdwcSxhbW8=&dimm=Pl dRR1A8YG12bGd2XW9ja25ncD4tV1FHUDwIPkxDT0c8IG9ja25ncGB teiA+LUxDT0c8CD5RV0BIPHFyY28iYG12bGd2ImtsImNhdmttbD4tU VdASDwIPlFATUZbPAhWamtxIm9ncXFjZWcidWNxInFnbHYiZHBtbyJj ImFtb3JwbW9rcWdmIm9jYWprbGcsCD4tU UBNRls8&err=1 (Source: Akamai) Spamtorte – old version comm.
  • 20. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Old version body contents: layer=cXJjb3JtYUJxamNwaW5jcWdwcSxhbW8=&dimm=Pl dRR1A8YG12bGd2XW9ja25ncD4tV1FHUDwIPkxDT0c8IG9ja25ncGBteiA+LUxDT0c 8CD5RV0BIPHFyY28iYG12bGd2ImtsImNhdmttbD4tUVdASDwIPlFATUZbPAhWamtxIm9ncXFjZWcidWNxInFnbHYiZHBtbyJjI mFtb3JwbW9rcWdmIm9jYWprbGcsCD4tU UBNRls8&err=1 (Source: Akamai) New version POST Request body contents: (keeping the first letter and randomizing, 2-5 chars each) ljj=Y24sZXBnZ2xnNTs1OyxjZUJlb2NrbixhbW8hY2hY24sZXdjcGZCbmdjdGt2dixhb W8hY24sZXdY2tuLGFtbyFjbixld2tjcGZCam12b2NrbixkcCFjbixld2tjcGZCbmNybXF2 ZyxsZ3YhY24sZXdrYG10a2FqQmVvY2tuLGFtbw3%3D&dhgxbg=PldRR1A8Zm1sY2 5mcW1sNDQ6Pi1XUUdrcWo9Ij5gcDwiPmBwPCJwZ3JueyJvZyJrZCJ7bXcidW13bm YibmtpZyJ2bSJxZ2cib3sicmptdm1xLCJRZ2cie21&ejv=o Spamtorte - version comparison
  • 21. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Spamtorte – Malware Upgrades Filename MD5 Size OLD (32bit version) 1faf27f6b8e8a9cadb611f668a01cf73 47,509 OLD (64bit version) cb0477445fef9c5f1a5b6689bbfb941e 52,515 NEW (32bit version) c547177e6f8b2cb8be26185073d64edc 87,875 NEW (64bit version) d04c492a5b78516a7a36cc2e1e8bf521 95,063
  • 22. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Spamtorte - what made the machine spot it?? Relevant samples were from several sources, found to be “similar” to: CryptoWall TeslaCrypt
  • 23. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START SpamTorte v2: http://cyber.verint.com/spamtorte-version-2/ Getting a hold of the details: Extra! http://cyber.verint.com/nymaim-malware-variant/
  • 24. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Key takeaways Traditional schemes are not relevant for the goal of APT detection Machine Learning is key for uncovering unknown malicious traffic Collection is gold and should be considered the most crucial part of the operation, if not – may lead to very error-prone models C&C comms. are becoming rapidly encrypted (exp. Features)
  • 25. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Thank You Visit us at booth #G160!

Editor's Notes

  1. HTTP/S definitions UDP/TCP ICMP Social networks? Dridex is p2p or http?
  2. tegonagraphy? Social networks?
  3. Autoregressive moving average
  4. TRAINING DATA Easy example - Small set – cannot really extrapolate from a small bunch Collection is key! Bias is dangerous – diversity, robust, clean
  5. TRAINING DATA Easy example - Small set – cannot really extrapolate from a small bunch Collection is key! Bias is dangerous – diversity, robust, clean
  6. TRAINING DATA Easy example - Small set – cannot really extrapolate from a small bunch Collection is key! Bias is dangerous – diversity, robust, clean
  7. TRAINING DATA Easy example - Small set – cannot really extrapolate from a small bunch Collection is key! Bias is dangerous – diversity, robust, clean
  8. Per domain features – sessions instead of http specific features Another option is to add certificate to the circle together with other ssl/tls features
  9. The payload itself (body) is different – Json -
  10. Samples from samples – add some pcaps or at least names of families of which we derived this conclusion Similarity breakdown (Columns malware_prediction), [count of alert] 1000052 -  [~300] - CryptoWall 1000053 – [~ 100 ]-  TeslaCrypt