Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
The following lecture will cover very advanced techniques and trade craft of subversive multi-vector threat's (SMT's) and advanced persistent threats (APTs) by two of the world's leading experts in this specific field. It is important to understand that APT's have a long history and though typically not talked about unless you are dealing with Governments, Defense Industrial Base (DIB), research organizations and global financials are all too real. The techniques and tradecraft associated are so mature and diverse, they literally go undetected. Today’s Internet is far more complex, dynamic and diverse than ever before. Because of this fast-paced evolution within the threat landscape these types of attacks (as we predicted in a recent lecture at ToorCon in October 2009 in San Diego, Ca), have swiftly become mainstream. The telemetry of the attack surface knows no bounds and includes any mediums necessary for the completing their operational charter and missions. In most instances, these attacks are sponsored by nation state and sub-national entities either politically or economically motivated. During our discussion, we will address the history and psychology of these cyber actors as it relates to APTs and while advancing in an in-depth discussion on SMT's, crypto-virology, asymmetric forms of information gathering, recent use cases and next generation countermeasures for detecting and defending these types of attacks. Lastly, as we predicted last fall on the rise of the APT's into the mainstream, we will also leave you with yet another prediction of what to expect in the coming year.
This is an update to the Cyber Defense Matrix briefing given at the 2019 RSA Conference. Cybersecurity practitioners can use this to organize vendors, find gaps in security portfolios, understand how to organize security measurements, prioritize investments, minimize business impact, visualize attack surfaces, align other existing frameworks, and gain a fuller understanding of the entire space of cybersecurity.
What can go wrong?!
Thirty years of commercial information security have taught us to orchestrate perimeter controls, to correctly configure AAA systems, to evaluate risks and manage them.
But when we talk about the supply chain, the context dramatically changes and we risk realising we did not understand it all or we naively transferred our risk to an unaware third party.
Advanced Persistent Threats (Shining the Light on the Industries' Best Kept S...Security B-Sides
The following lecture will cover very advanced techniques and trade craft of subversive multi-vector threat's (SMT's) and advanced persistent threats (APTs) by two of the world's leading experts in this specific field. It is important to understand that APT's have a long history and though typically not talked about unless you are dealing with Governments, Defense Industrial Base (DIB), research organizations and global financials are all too real. The techniques and tradecraft associated are so mature and diverse, they literally go undetected. Today’s Internet is far more complex, dynamic and diverse than ever before. Because of this fast-paced evolution within the threat landscape these types of attacks (as we predicted in a recent lecture at ToorCon in October 2009 in San Diego, Ca), have swiftly become mainstream. The telemetry of the attack surface knows no bounds and includes any mediums necessary for the completing their operational charter and missions. In most instances, these attacks are sponsored by nation state and sub-national entities either politically or economically motivated. During our discussion, we will address the history and psychology of these cyber actors as it relates to APTs and while advancing in an in-depth discussion on SMT's, crypto-virology, asymmetric forms of information gathering, recent use cases and next generation countermeasures for detecting and defending these types of attacks. Lastly, as we predicted last fall on the rise of the APT's into the mainstream, we will also leave you with yet another prediction of what to expect in the coming year.
This is an update to the Cyber Defense Matrix briefing given at the 2019 RSA Conference. Cybersecurity practitioners can use this to organize vendors, find gaps in security portfolios, understand how to organize security measurements, prioritize investments, minimize business impact, visualize attack surfaces, align other existing frameworks, and gain a fuller understanding of the entire space of cybersecurity.
What can go wrong?!
Thirty years of commercial information security have taught us to orchestrate perimeter controls, to correctly configure AAA systems, to evaluate risks and manage them.
But when we talk about the supply chain, the context dramatically changes and we risk realising we did not understand it all or we naively transferred our risk to an unaware third party.
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
Who is responsible for security in the enterprise? Every company takes a different approach, but in many cases, accountability and authority do not reside in the same role. When this happens, it’s hard to tell who is responsible for securing digital assets. No wonder executives are worried.
Conceito militar, agora aplicado a Cibersegurança, o "the cyber kill chain" foi desenvolvido pela Lockheed Martin em 2011. Ele descreve as fases que um adversário seguirá para alvejar uma Organização. São 7 fases bem definidas e este ataque é considerado bem sucedido
se / quando todas as fases foram realizadas.
(DOCUMENTO EM INGLÊS)
Secure Access – Anywhere by Prisma, PaloAltoPrime Infoserv
The purpose of the session is to ensure security on the rapidly scaled work from Home situations during the COVID-19 outbreak. The objective is to ensure that they can securely and rapidly connect to all of their applications, including SaaS, cloud, and data-center applications.
The session will be delivered by Mohammad Faizan Sheikh, Channel Systems Engineer, India & SAARC for Palo Alto Networks..
Lessons Learned in Automated Decision Making / How to Delay Building SkynetSounil Yu
There is much talk of topics like artificial intelligence, machine learning, and automation within the security industry. We are led to believe that these capabilities will revolutionize our security practices. However, we need to be conscious of the limits of these capabilities before we entrust them with matters of importance. To understand the limits, we need to understand what each of these capabilities really mean and how they fit together. Unfortunately, most people combine these capabilities and use the terms almost interchangeably. Doing so is dangerous and can create unintended consequences.
With each passing year, the security threats facing computer networks have become more technically sophisticated, better organized and harder to detect. At the same time, the consequences of failure to block these attacks have increased. In addition to the economic consequences of financial fraud, we are seeing real-world attacks that impact the reliability of critical infrastructure and national security.
Join Lancope's Director of Security Research to learn about five key challenges that computer security professionals face in 2013, including:
1. State-sponsored espionage and sabotage of computer networks
2. Monster DDoS attacks
3. The loss of visibility and control created by IT consumerization and the cloud
4. The password debacle
5. Insider threats
The variety and complexity of cyber attacks is increasing. The attackers have a strong economic and political motivation thus leading to organized and targeted attacks. We have concluded that intrusions are inevitable, and have focused on strategies to work through the attack while limiting the losses. Our approach, called Self Cleansing Intrusion Tolerance (SCIT), leads to the next generation of secure servers. SCIT shifts the focus from intrusion avoidance to reducing the losses resulting from an intrusion. This additional layer of defense is justified, because the current reactive approaches cannot keep up with the rapidly increasing new threats.
Malicious software or “malware” is the biggest network security threat facing organizations today. Cybercriminals target enterprises that hold a great deal of money or conduct a high volume of transactions on a daily basis. A network intrusion can cost an organization as much as $5 million. And, the damage to a company’s reputation can be irreparable. Statistics show that if a major security breach occurs against a U.S. enterprise, that organization
has a 90 percent chance of going out of business within two years. This is particularly alarming considering that malware is currently the fastest growing trend in the misuse of network resources.
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
Organization using Adversary Emulation plan to develop an attack emulation and/or simulation and execute it against enterprise infrastructure. These activities leverage real-world attacks and TTPs by Threat Actor, so you can identify and finding the gaps in your defense before the real adversary attacking your infrastructure. Adversary Emulation also help security team to get more visibility into their environment. Performing Adversary Emulation continuously to strengthen and improve your defense over the time.
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
Who is responsible for security in the enterprise? Every company takes a different approach, but in many cases, accountability and authority do not reside in the same role. When this happens, it’s hard to tell who is responsible for securing digital assets. No wonder executives are worried.
Conceito militar, agora aplicado a Cibersegurança, o "the cyber kill chain" foi desenvolvido pela Lockheed Martin em 2011. Ele descreve as fases que um adversário seguirá para alvejar uma Organização. São 7 fases bem definidas e este ataque é considerado bem sucedido
se / quando todas as fases foram realizadas.
(DOCUMENTO EM INGLÊS)
Secure Access – Anywhere by Prisma, PaloAltoPrime Infoserv
The purpose of the session is to ensure security on the rapidly scaled work from Home situations during the COVID-19 outbreak. The objective is to ensure that they can securely and rapidly connect to all of their applications, including SaaS, cloud, and data-center applications.
The session will be delivered by Mohammad Faizan Sheikh, Channel Systems Engineer, India & SAARC for Palo Alto Networks..
Lessons Learned in Automated Decision Making / How to Delay Building SkynetSounil Yu
There is much talk of topics like artificial intelligence, machine learning, and automation within the security industry. We are led to believe that these capabilities will revolutionize our security practices. However, we need to be conscious of the limits of these capabilities before we entrust them with matters of importance. To understand the limits, we need to understand what each of these capabilities really mean and how they fit together. Unfortunately, most people combine these capabilities and use the terms almost interchangeably. Doing so is dangerous and can create unintended consequences.
With each passing year, the security threats facing computer networks have become more technically sophisticated, better organized and harder to detect. At the same time, the consequences of failure to block these attacks have increased. In addition to the economic consequences of financial fraud, we are seeing real-world attacks that impact the reliability of critical infrastructure and national security.
Join Lancope's Director of Security Research to learn about five key challenges that computer security professionals face in 2013, including:
1. State-sponsored espionage and sabotage of computer networks
2. Monster DDoS attacks
3. The loss of visibility and control created by IT consumerization and the cloud
4. The password debacle
5. Insider threats
The variety and complexity of cyber attacks is increasing. The attackers have a strong economic and political motivation thus leading to organized and targeted attacks. We have concluded that intrusions are inevitable, and have focused on strategies to work through the attack while limiting the losses. Our approach, called Self Cleansing Intrusion Tolerance (SCIT), leads to the next generation of secure servers. SCIT shifts the focus from intrusion avoidance to reducing the losses resulting from an intrusion. This additional layer of defense is justified, because the current reactive approaches cannot keep up with the rapidly increasing new threats.
Malicious software or “malware” is the biggest network security threat facing organizations today. Cybercriminals target enterprises that hold a great deal of money or conduct a high volume of transactions on a daily basis. A network intrusion can cost an organization as much as $5 million. And, the damage to a company’s reputation can be irreparable. Statistics show that if a major security breach occurs against a U.S. enterprise, that organization
has a 90 percent chance of going out of business within two years. This is particularly alarming considering that malware is currently the fastest growing trend in the misuse of network resources.
Proactive cyber defence through adversary emulation for improving your securi...idsecconf
Organization using Adversary Emulation plan to develop an attack emulation and/or simulation and execute it against enterprise infrastructure. These activities leverage real-world attacks and TTPs by Threat Actor, so you can identify and finding the gaps in your defense before the real adversary attacking your infrastructure. Adversary Emulation also help security team to get more visibility into their environment. Performing Adversary Emulation continuously to strengthen and improve your defense over the time.
Maximize Computer Security With Limited RessourcesSecunia
Presentation from Stefan Frei on how patches are an effective method to escape the arms race with cybercriminals. The majority of vulnerabilities have patches ready on the day of disclosure, which means that the right patch strategy is evident to maximize risk reduction.
Rainer Baeder. Sudėtingos tikslinės ir ilgai išliekančios grėsmėsTEO LT, AB
Kaip nuo jų apsisaugoti? Kaip susijusios kompiuterių apsaugos sistemos ir vartotojų reputacija?
Pranešimo autorius – Rainer Baeder. Įmonės „Fortinet“ sprendimų konsultacijų centro vadovas (Vokietija).
Pranešimas skaitytas konferencijoje – INFORMACINIŲ SISTEMŲ SAUGUMAS, vykusioje 2013 m. balandžio 11d., skirtoje valstybės institucijų ir valstybinės reikšmės organizacijoms.
Lumension Endpoint Management and Security Suite 2012Andris Soroka
Presentation of new endpoint security management platform from Lumension. Done by Andris Soroka in Warsaw, in headtechnology Poland event Headlight2012.
The Art of the Pitch: WordPress Relationships and SalesLaura Byrne
Clients don’t know what they don’t know. What web solutions are right for them? How does WordPress come into the picture? How do you make sure you understand scope and timeline? What do you do if sometime changes?
All these questions and more will be explored as we talk about matching clients’ needs with what your agency offers without pulling teeth or pulling your hair out. Practical tips, and strategies for successful relationship building that leads to closing the deal.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Neuro-symbolic is not enough, we need neuro-*semantic*Frank van Harmelen
Neuro-symbolic (NeSy) AI is on the rise. However, simply machine learning on just any symbolic structure is not sufficient to really harvest the gains of NeSy. These will only be gained when the symbolic structures have an actual semantics. I give an operational definition of semantics as “predictable inference”.
All of this illustrated with link prediction over knowledge graphs, but the argument is general.
Search and Society: Reimagining Information Access for Radical FuturesBhaskar Mitra
The field of Information retrieval (IR) is currently undergoing a transformative shift, at least partly due to the emerging applications of generative AI to information access. In this talk, we will deliberate on the sociotechnical implications of generative AI for information access. We will argue that there is both a critical necessity and an exciting opportunity for the IR community to re-center our research agendas on societal needs while dismantling the artificial separation between the work on fairness, accountability, transparency, and ethics in IR and the rest of IR research. Instead of adopting a reactionary strategy of trying to mitigate potential social harms from emerging technologies, the community should aim to proactively set the research agenda for the kinds of systems we should build inspired by diverse explicitly stated sociotechnical imaginaries. The sociotechnical imaginaries that underpin the design and development of information access technologies needs to be explicitly articulated, and we need to develop theories of change in context of these diverse perspectives. Our guiding future imaginaries must be informed by other academic fields, such as democratic theory and critical theory, and should be co-developed with social science scholars, legal scholars, civil rights and social justice activists, and artists, among others.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
DevOps and Testing slides at DASA ConnectKari Kakkonen
My and Rik Marselis slides at 30.5.2024 DASA Connect conference. We discuss about what is testing, then what is agile testing and finally what is Testing in DevOps. Finally we had lovely workshop with the participants trying to find out different ways to think about quality and testing in different parts of the DevOps infinity loop.
GraphRAG is All You need? LLM & Knowledge GraphGuy Korland
Guy Korland, CEO and Co-founder of FalkorDB, will review two articles on the integration of language models with knowledge graphs.
1. Unifying Large Language Models and Knowledge Graphs: A Roadmap.
https://arxiv.org/abs/2306.08302
2. Microsoft Research's GraphRAG paper and a review paper on various uses of knowledge graphs:
https://www.microsoft.com/en-us/research/blog/graphrag-unlocking-llm-discovery-on-narrative-private-data/
JMeter webinar - integration with InfluxDB and GrafanaRTTS
Watch this recorded webinar about real-time monitoring of application performance. See how to integrate Apache JMeter, the open-source leader in performance testing, with InfluxDB, the open-source time-series database, and Grafana, the open-source analytics and visualization application.
In this webinar, we will review the benefits of leveraging InfluxDB and Grafana when executing load tests and demonstrate how these tools are used to visualize performance metrics.
Length: 30 minutes
Session Overview
-------------------------------------------
During this webinar, we will cover the following topics while demonstrating the integrations of JMeter, InfluxDB and Grafana:
- What out-of-the-box solutions are available for real-time monitoring JMeter tests?
- What are the benefits of integrating InfluxDB and Grafana into the load testing stack?
- Which features are provided by Grafana?
- Demonstration of InfluxDB and Grafana using a practice web application
To view the webinar recording, go to:
https://www.rttsweb.com/jmeter-integration-webinar
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...Jeffrey Haguewood
Sidekick Solutions uses Bonterra Impact Management (fka Social Solutions Apricot) and automation solutions to integrate data for business workflows.
We believe integration and automation are essential to user experience and the promise of efficient work through technology. Automation is the critical ingredient to realizing that full vision. We develop integration products and services for Bonterra Case Management software to support the deployment of automations for a variety of use cases.
This video focuses on the notifications, alerts, and approval requests using Slack for Bonterra Impact Management. The solutions covered in this webinar can also be deployed for Microsoft Teams.
Interested in deploying notification automations for Bonterra Impact Management? Contact us at sales@sidekicksolutionsllc.com to discuss next steps.
Slack (or Teams) Automation for Bonterra Impact Management (fka Social Soluti...
DamballaOverview
1. Transforming the Fight Against Cyber Threats
David Petty
May 30,2012
David.Petty@damballa.com
949-325-4625
When malware talks…Damballa listens
2. Why Damballa Advanced Threat Protection?
Mitigate corporate Risk
• Discover hidden threats that have gone undetected
• Terminate criminal communications and the risk of data theft
• Earliest possible discovery of emerging threats
Improve security team Efficiency
• Threat Conviction Engine effectively eliminates false-positives
Improve incident response Workflow
• Asset Risk Factor helps prioritize response and reduce cost of remediation
Secure ALL devices - traveling, mobile and BYOD….
• Analyze network behavior to protect any endpoint device regardless of
infection vector or phase of threat lifecycle
(PC, Mac, iPad, iPhone, Android, servers, embedded systems…)
2
3. ‘Protection’ has its limitations
Corporate
Production
Through the ‘front door’ (ingress)
Network
Win32
Network-based inbound ?
malware capture and Win64
analysis tools PCs How do you
Encrypted/armored, etc. detect a
breach?
Mac
Mac
Embedded systems/POS/other OS
Embedded/POS
USBs/DVDs/Cloud Storage
Traveling Employees/Contractors/BYOD
BYOD “Guest”
(Bring Your Own malware) Network
3
4. Shifting from Protection to Detection
Noisy Alerts
Corporate False Positives
Production (not correlated with
Network other evidence)
!
PCs
Black Lists
Reputation
Systems
f(x)
Static
Criminal
Communications
Known bad destinations
Mixed use destinations
New destinations (no history)
Mac Covert channels
Damballa® FirstAlert - The most advanced cyber threat intelligence
- Early detection of emerging threats
Embedded/POS - Machine-learning behavioral classifiers (heuristics)
Threat Conviction Engine - Automatically correlates behaviors seen
- Virtually eliminates false positives
Asset Risk Factor - Automatically assesses severity of breach
- Prioritization of risk and remediation
“Guest” “…Damballa Failsafe 5.0 intelligently uncovers
Network stealthy and hidden attacks masterfully avoiding
any false positive alerts. Frost & Sullivan views
this solution as a novel dimension to safeguard
corporate networks.”
4
5. Active Threat Monitoring (Enterprise Networks)
We discover hidden infections that have gone undetected
by preventative security measures:
APT, advanced malware, targeted attacks…whatever.
Network detection of suspicious downloads (inbound malware)
Endpoints communicating to suspicious destinations
Network behavior indicative of criminal communication
DNS look-ups & activity indicative of criminal behavior
Deep packet inspection and PCAPs of criminal traffic
Using the most advanced threat intelligence in the industry
Correlating observations of criminal activity to
positively identify hidden infections.
5
6. Damballa® Failsafe
1U Appliance
Management Console & Sensor(s)
Out-of-band (span or tap)
Captures and assesses evidence from egress,
proxy and DNS traffic to hunt for hidden threats
Can terminate criminal communications
Management Console pinpoints
compromised assets; provides network and
host forensics with criminal attribution
Integrated workflow….
6
7. Damballa® Labs
Thought Leadership Thought Leadership
Blackhat, Defcon, RSA, USENIX, ACSAC, NSDI,
HackerHalted, FIRST, ICDM, CCS, NDSS,
ISSA, IEEE, VB, etc. RAID, etc.
Threat Analysis Applied Research
Sr. Threat analysts Doctorate-level
10+ years experience Top-tier academics
ex NSA, CIA, DoD Big Data analysis
Reverse engineering Predictive analytics
Deep penetration Machine Learning
Publications Publications
Blogs, whitepapers, Top-tier academic
articles, training courses conferences and patents
Notable Research Backers
8
8. Damballa® FirstAlert Cyber Threat Intelligence
Malware
ISP
Sharing
Feeds
DNS
Reputation Feature Harvesters
Telco Systems Extractors
Malware Mobile
Drive-by
DNS
Correlation Predictive
DNS URI
Engines Systems
Corporate HoneyPot
Malware
PCAP DNS Email URI
DNS
URI
External
Data Feeds Mobile HoneyPot Registry Drive-by Blacklists
9
9. Emerging Threat Discovery
Predictive
Predictive Analysis Systems
Threat growth characteristics and C&C structure
are visible (and unique) at the DNS level.
Victims
Possible to identify new C&C
infrastructure prior to malware
being captured and analyzed
Damballa detects threat Malware continues to
weeks/months before evade signature-based
malware is detected detection
Weeks
Set-up Early Testing Attack Launched Malware First Malware
Updated 10
Discovered
10. Damballa® Failsafe
Enterprise Assets
DNS Proxy Egress
Damballa Sensor(s)
Deep Packet Inspection of All Internet Traffic
Damballa Cyber Threat Intelligence f
Is the destination shady?
• Suspicious destination, low reputation or known bad Correlation of
Is the traffic suspicious? ‘behaviors seen’
• Suspicious content, DPI of payload / executables / files pinpoints infected
Is the behavior automated? devices
• Do the events appear to be software or human driven
Damballa Failsafe identifies the ‘unknown’ threat,
victim machines actively communicating with cyber criminals.
11
12. Actionable Intelligence
Victims Relative Risk Threats Threat Activity
Identified Assessed Classified Qualified
Asset Risk Factor - relative risk posed by infected device
Bytes In Receiving instructions, updates, malware being repurposed? Local
Bytes Out Indicative of the amount of data stolen? Local
Connection Attempts How frequently is the asset communicating with a C&C? Local
Category Where does the asset sit / who does it belong to? Local
# of Threats Is the asset compromised with more than one threat? Local
Severity What is the risk of the threat? Global
AV Coverage For a specific threat, what is my relative AV coverage? Global
f(x)
13
13. Actionable Intelligence
Victims Relative Risk Threats Threat Activity
Identified Assessed Classified Qualified
Full forensics for all
behaviors seen
Full Forensics
• All Events in Sequence
• Full PCAPs for malicious traffic
• Malicious malware captured
• Malware trace reports (host and network behaviors)
• Bytes in / Bytes out
• Ports / Traffic type
• Connection status (failed, proxy blocked, completed)
• Category and priority of risk of endpoint
• Threat operator profile
• Endpoint compromise history
• Geo-location of C&C
14
14. Identifying Zero Day Malware
1 Identify Suspicious Files in Motion 2 Cloud Interrogation of Suspicious Files
Behaviors Seen & Benefits Behaviors Seen & Benefits
Suspicious files in motion Full malware lifecycle
Malicious structure Network & host behaviors
Source / URI identification AV scanner results
Unique victim enumeration Extensive dynamic analysis
Initial threat assessment Ongoing trace report updates
Zero day files captured Behaviors feed Damballa Labs
Full Malware Forensics Report in
3
the Damballa Failsafe Console
15
15. Identifying Criminal Communication
Behaviors Seen & Benefits
Malicious DNS queries
DNS Domain fast-fluxing detection DNS
C&C Location New domain queries
Recursive Authoritative
Unique victim enumeration
Victim
Detection prior to egress
Configuration File DNS query termination
Dynamic Generation Firewall
Algorithm (DGA)
Egress
C&C
Criminal Server
TCP/IP Session
Proxy
Filtering
Behaviors Seen & Benefits Behaviors Seen & Benefits
C&C connection behaviors/success C&C connection behaviors/success
URI identification (incl. HTTPS) URI identification (incl. HTTPS)
Malicious file identification (Malware) Malicious file identification (Malware)
Unique victim enumeration Unique victim enumeration
Detection prior to egress Bytes-in & bytes-out monitoring
Full packet capture Full packet capture
Session termination Session termination
16
16. Protection From The ‘Unknown’ Threat
Enables rapid, automated incident response
• Rapid and positive identification of compromised assets
• Asset Risk Factor and Threat Conviction Scores prioritize response
• Terminate malicious communications and/or sinkhole DNS requests
Provides comprehensive threat protection
• Platform agnostic: Windows, Linux, Apple, Android, Blackberry
• Leading academic research and advanced threat intelligence
Force multiplier for over-tasked security teams
• No more manual analysis of millions of lines of logs and false alerts
• Automated aggregation and assessment of evidence/forensics:
- Automatically Identifies the infection, threat and risk
- Provides actionable intelligence
• Security teams can focus on improving policies and threat defense
17
17. Competition and Value Proposition
Damballa’s unique strengths include:
Our solution has the ability to scale much better than our
competition. Our standard sensor handles 2 gbs.
We detect emerging threats and protect our customers even before
the malware is ever discovered and analysed by our competition.
We have a lower false positive rate than our competition and detect
accurately more threats.
18
19. Advanced Malware Infection Cycle
Criminal Command & Control
Multiple C&C proxies/Separate C&C portals
Malware updates Download Payload
Updater Site
Updates to list of C&C’s Downloader Host malware agent(s)
Confirm installation
Agent integrity checking Agent selection criteria
Locking ofIs this ato victim
agent real machine? Whitelisted repositories
Have I seen it before?
Remote access & control Unique malware agent
Update malware location
Data Repository
Repository
Dropper(s) Logging of install successes
C&C Portals
Encrypted files from victim
Stolen passwords & PII
Post Unpack
Disable local security Post Agent Install
Prevent updates/patches
Delete dropper/installer
Inventory victim C&C Proxies
Clear logs & events
Catalogue & inventory
Dropper unpacks on the Malware is
Victim machine and runs updated/customized
Victim
20
20. Advanced Malware Infection Cycle
Damballa Failsafe monitors network traffic and correlates suspicious
‘behaviors seen’ to rapidly identify assets under criminal control, and
stop data theft due to malware breaches.
Downloader
Repository
Dropper(s) C&C Portals
C&C Proxies
Dropper unpacks on the Malware is
Victim machine and runs updated/customized
Victim
21
Editor's Notes
As we discussed, the malware is increasingly capable of evading your security defenses. In addition, there are a whole host of infection vectors that can compromise your network and form the basis for a breach.Your mobile employees can bring malware into the organization when they reconnect to your network, and USB devices and such serve as other ‘carriers’ of malware.April 15, DarkReading– (International) SAP, other ERP applications at risk of targeted attacks. Backdoor Trojan viruses and rootkits that let attackers gain a foothold and remain entrenched in a compromised system aren’t just for Windows PCs anymore — SAP and other enterprise resource planning (ERP) applications are also susceptible to this form of attack. A researcher at Black Hat Europe in Barcelona, Spain this week demonstrated techniques for inserting backdoors into SAP applications to enable attackers to gain control of them. The director of research and development at Onapsis said an attacker would initially exploit weak, database protections or vulnerabilities in the underlying operating system, for instance, to gain access to the SAP apps and data. The hacks do not exploit any new or existing vulnerabilities in SAP. Once the system is compromised, the attacker would grab the necessary, elevated privileges to insert the stealthy backdoor code and remain under the radar to pilfer sensitive information. With the backdoor presence, the attacker could modify a victim company’s electronic payments to a vendor, for example. “So every automated payment to that vendor would go to the attacker’s *bank+ account *instead+,” the director said. Source: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=224400438
As we discussed, the malware is increasingly capable of evading your security defenses. In addition, there are a whole host of infection vectors that can compromise your network and form the basis for a breach.Your mobile employees can bring malware into the organization when they reconnect to your network, and USB devices and such serve as other ‘carriers’ of malware.April 15, DarkReading– (International) SAP, other ERP applications at risk of targeted attacks. Backdoor Trojan viruses and rootkits that let attackers gain a foothold and remain entrenched in a compromised system aren’t just for Windows PCs anymore — SAP and other enterprise resource planning (ERP) applications are also susceptible to this form of attack. A researcher at Black Hat Europe in Barcelona, Spain this week demonstrated techniques for inserting backdoors into SAP applications to enable attackers to gain control of them. The director of research and development at Onapsis said an attacker would initially exploit weak, database protections or vulnerabilities in the underlying operating system, for instance, to gain access to the SAP apps and data. The hacks do not exploit any new or existing vulnerabilities in SAP. Once the system is compromised, the attacker would grab the necessary, elevated privileges to insert the stealthy backdoor code and remain under the radar to pilfer sensitive information. With the backdoor presence, the attacker could modify a victim company’s electronic payments to a vendor, for example. “So every automated payment to that vendor would go to the attacker’s *bank+ account *instead+,” the director said. Source: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=224400438
[Failsafe Screen Shot]With Damballa Failsafe, Security Analyst and Incident Responders no longer need to react to noisy alerts or manually search through logs to identify infections. Damballa Failsafe automatically captures evidence of malicious communications, correlates the suspicious events, and pinpoints those assets under criminal control and enables you to stop the loss of sensitive data. Victim machines are automatically assigned a Risk Factor to prioritize the compromises that require immediate attention.All forensic evidence is displayed …. and ongoing monitoring allows you to ensure you have successfully remediated the threat. For each Threat that we identify on a victim machine, we provide a Threat Conviction Score indicating the confidence level we are placing on our detection based on the behaviors we have seen.And for every infected asset, we provide a Asset Risk Factor, indicating which assets we believe represent the biggest risks to your enterprise and represent the biggest risk for data loss and breach activity. This allows your incident response team to easily prioritize their remediation and investigation activities…*****
[Failsafe Screen Shot]With Damballa Failsafe, Security Analyst and Incident Responders no longer need to react to noisy alerts or manually search through logs to identify infections. Damballa Failsafe automatically captures evidence of malicious communications, correlates the suspicious events, and pinpoints those assets under criminal control and enables you to stop the loss of sensitive data. Victim machines are automatically assigned a Risk Factor to prioritize the compromises that require immediate attention.All forensic evidence is displayed …. and ongoing monitoring allows you to ensure you have successfully remediated the threat. For each Threat that we identify on a victim machine, we provide a Threat Conviction Score indicating the confidence level we are placing on our detection based on the behaviors we have seen.And for every infected asset, we provide a Asset Risk Factor, indicating which assets we believe represent the biggest risks to your enterprise and represent the biggest risk for data loss and breach activity. This allows your incident response team to easily prioritize their remediation and investigation activities…*****
[Failsafe Screen Shot]With Damballa Failsafe, Security Analyst and Incident Responders no longer need to react to noisy alerts or manually search through logs to identify infections. Damballa Failsafe automatically captures evidence of malicious communications, correlates the suspicious events, and pinpoints those assets under criminal control and enables you to stop the loss of sensitive data. Victim machines are automatically assigned a Risk Factor to prioritize the compromises that require immediate attention.All forensic evidence is displayed …. and ongoing monitoring allows you to ensure you have successfully remediated the threat. For each Threat that we identify on a victim machine, we provide a Threat Conviction Score indicating the confidence level we are placing on our detection based on the behaviors we have seen.And for every infected asset, we provide a Asset Risk Factor, indicating which assets we believe represent the biggest risks to your enterprise and represent the biggest risk for data loss and breach activity. This allows your incident response team to easily prioritize their remediation and investigation activities…*****
Step 1Indictment PhaseSensors will identify all raw PE32 and PDF files seen in trafficSensors examine each file for MD5, source, and structureDecision is made if the file is “Suspicious” or “Malicious” AKA ‘The Indictment’If indicted as “Malicious”, it means we have seen the MD5 hash before, otherwise…File is listed as ‘Unverified’ in Asset Summary Screen & Suspicious File ReportReasons for Suspicion are displayedAt this point, Malware Admin can save the file to local machineIf ‘Indicted’ then file goes to the cloud for processing (Auto / Manual Submit)Auto: File is sent immediately to Damballa Labs for processingManual: Customer must hit submit (Asset Summary Screen / Suspicious File ReportStep 2Conviction PhaseDamballa Labs runs file through AV scanners, Dynamic Analysis in Dirty SpaceDamballa Labs reviews system outputs and makes a decisionMalicious | Suspicious | BenignMalicious files are now part of training sets and continuously examinedBy examining malware at Damballa Labs, the behaviors identified enable:Malware Grouping & Clustering Threat operator enumeration and attributionMalware & C&C Linkage Malware family-tree reconstructionPublic Victim Enumeration Authoritative DNS and Sinkholing of domainsNetwork Behavioral Clustering 0-day exploit and malware family discoveryPay-per-Install Milking New droppers & payloads from crime serversLong-term Monitoring Specific malware and threat infiltrationStep3Malware Forensics ReportTarget delivery time is 10 minutes for initial reportReport includes:Reason why convicted as ‘Malicious’, ‘Suspicious’ or ‘Benign’Summary ReportDetailed ReportReports are ‘living’ – they are updated constantly as we learn more about malwareEnables Actionable intelligence for Remediation efforts, risk prioritization, and delivery of file to AV vendors for signature creation