SlideShare a Scribd company logo

InfoSecurity Europe 2017 - On The Hunt for Advanced Attacks? C&C Channels are a Good Place to Start

Download as PPTX, PDF
Moshe Zioni
Moshe Zioni

Why are Command and Control (C&C) communications so significant to detecting advanced threats and how should you go about detecting them? We’ll discuss the various pitfalls of the traditional methods of detecting C&C and specifically those currently based on machine learning. Machine Learning must be structured, designed and delivered in exactly the right way to deliver impact for detection of advanced threats. The session will introduce our approach, which has significantly improved both detection rates and efficiency. We’ll discuss several test cases and the lessons we’ve learned over time. Learning Outcomes: Learn why Command and Control monitoring is the key to detecting advanced threats Uncover pitfalls of the current approaches to C&C detection Understand Machine Learning and it's role in detecting malicious activity Understand the potential dangers of the wrong machine learning approach Learn about the impact a new supervised learning approach can have – in both theory and practice

Internet
1 of 25
Moshe Zioni ( @dalmoz_ ) Security Research Manager, VERINT On the Hunt for Advanced Attacks? C&C Channels are a Good Place to Start
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START • Why focus on C&C? • C&C - Landscape • Trends in C&C implementations • Traditional Approaches • Our approach • Limitations • Proof-of-Concept results • Takeaways • Q&A On The Agenda
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START • Moshe Zioni ( @dalmoz_ ) • Leading a terrific group of talented researches at • Researching and developing cutting-edge, next generation detection engines for malicious activity on very big enterprises and ISPs. • Credit & Kudos goes to the Research team, especially to Eddie, Maria, Meir, Oren and Vadim, and to the Analysis team. WHOAMI – credits & kudos
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START • Always present (almost) • Network interception is practical, contrast to other detection methods/layers • While malware tends to be polymorphic, communication protocol does not • An old problem – • Current schemes of detection are not so promising on detecting the ‘new’. • Traditional tactics rely heavily on somewhat naïve comparison. Why focus on C&C channels?
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START C&C landscape DNS 9% HTTP 62% ICMP 5% NATIVE 14% P2P 10% Distribution of Protocols DNS HTTP ICMP NATIVE P2P Name Method Dridex P2P, HTTP Nano Locker ICMP Poisn Ivy HTTP FLAME HTTP CITADEL HTTP Bergard HTTP Vawtrack URLZONE HTTP BlackMoon HTTP Wekby DNS ZeUS (GOZ) HTTP (P2P) DORKBOT HTTP SIMDA NATIVE + HTTP REGIN NATIVE (TCP + UDP ) +ICMP + HTTP SOUNDFIX-11 HTTP JAKUcalc HTTP /NATIVE TCP / DNS TrickBot HTTP GOZNYM P2P
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Trends in C&C implementations Rapid, fast to respond, evolution Encryption of transmissions and payload Encapsulation of transmissions Steganography of messages P2P – Forget about SPOF
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Traditional Approaches • Blacklists/ known patterns • Constantly needs upkeep and maintenance • Low False Positive • Forever rely Intelligence and Analysis • Not suitable at all to find ‘unknown’ schemes • High False Negative • Markov models • ARMA • Baseline comparison • Assuming normal traffic differ, in statistic modelling, of malicious traffic, might reveal novel schemes • This assumption is failing many times in current trends. • High False Positive Rate Signature based detection Anomaly based detection
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Our approach Choosing an alternate path
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START What Do We Need? We need something robust, that can “think” of many possibilities. Rely on what we do know and induce further. Fast (polynomial) results. MACHINE LEARNING - For The Win!
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Enter Machine Learning Machine Learning is the science of providing a computer with the ability to “learn” by example and teach itself to find patterns. There are many methods of ML – each one has its pros and cons. The model ‘learns’ from known, classified data, and extrapolate to achieve even nontrivial results. (for a human) Evolved from Pattern Recognition and Artificial Intelligence studies.
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Supervised Learning Rely on labelled training data. Collection is key for optimized model and for reducing error levels Data sample set should be comprised of encompassing, diverse and relevant data. We used Decision Tree-Random Forest based Supervised learning
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Feature Extraction SUIT TIE CHARM SMILE BAD-TEETH CAT CLASS
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Feature Extraction SUIT TIE CHARM SMILE BAD-TEETH CAT CLASS
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Feature Extraction SUIT TIE CHARM SMILE BAD-TEETH CAT CLASS
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Feature Extraction SUIT TIE CHARM SMILE BAD-TEETH CAT CLASS
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Session • Time differences • # of bytes • How many requests got an answer? • How much time it took to get an answer? TCP • 5-Tuple information • Protocol • IP Payload • Handshake data • Flags • Flow count Feature selection in TCP/HTTP Protocol specific - HTTP: • What is the length of the host name? • Body length • # of unique URI calls within the session • # of “user agent” strings used & values • How many file types were downloaded? • What is the average status code? • What is the avg. length of the URI? • Number of parameters SSL/TLS • Certificate metadata • Negotiatied cipher-suite
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Appropriate data collection and feature engineering is crucial for a proper, effective, model Machine learning results are hard to interpret – most of the times the question of ‘How did the machine decided that is malicious traffic?!’ - Is not straight-forwardly answered. Do not succumb to overfitting. (e.g. params/samples >> 1) But, first
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START In-the-Wild POC Sample Results
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START POST /some/uri.php HTTP/1.1 layer=cXJjb3JtYUJxamNwaW5jcWdwcSxhbW8=&dimm=Pl dRR1A8YG12bGd2XW9ja25ncD4tV1FHUDwIPkxDT0c8IG9ja25ncGB teiA+LUxDT0c8CD5RV0BIPHFyY28iYG12bGd2ImtsImNhdmttbD4tU VdASDwIPlFATUZbPAhWamtxIm9ncXFjZWcidWNxInFnbHYiZHBtbyJj ImFtb3JwbW9rcWdmIm9jYWprbGcsCD4tU UBNRls8&err=1 (Source: Akamai) Spamtorte – old version comm.
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Old version body contents: layer=cXJjb3JtYUJxamNwaW5jcWdwcSxhbW8=&dimm=Pl dRR1A8YG12bGd2XW9ja25ncD4tV1FHUDwIPkxDT0c8IG9ja25ncGBteiA+LUxDT0c 8CD5RV0BIPHFyY28iYG12bGd2ImtsImNhdmttbD4tUVdASDwIPlFATUZbPAhWamtxIm9ncXFjZWcidWNxInFnbHYiZHBtbyJjI mFtb3JwbW9rcWdmIm9jYWprbGcsCD4tU UBNRls8&err=1 (Source: Akamai) New version POST Request body contents: (keeping the first letter and randomizing, 2-5 chars each) ljj=Y24sZXBnZ2xnNTs1OyxjZUJlb2NrbixhbW8hY2hY24sZXdjcGZCbmdjdGt2dixhb W8hY24sZXdY2tuLGFtbyFjbixld2tjcGZCam12b2NrbixkcCFjbixld2tjcGZCbmNybXF2 ZyxsZ3YhY24sZXdrYG10a2FqQmVvY2tuLGFtbw3%3D&dhgxbg=PldRR1A8Zm1sY2 5mcW1sNDQ6Pi1XUUdrcWo9Ij5gcDwiPmBwPCJwZ3JueyJvZyJrZCJ7bXcidW13bm YibmtpZyJ2bSJxZ2cib3sicmptdm1xLCJRZ2cie21&ejv=o Spamtorte - version comparison
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Spamtorte – Malware Upgrades Filename MD5 Size OLD (32bit version) 1faf27f6b8e8a9cadb611f668a01cf73 47,509 OLD (64bit version) cb0477445fef9c5f1a5b6689bbfb941e 52,515 NEW (32bit version) c547177e6f8b2cb8be26185073d64edc 87,875 NEW (64bit version) d04c492a5b78516a7a36cc2e1e8bf521 95,063
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Spamtorte - what made the machine spot it?? Relevant samples were from several sources, found to be “similar” to: CryptoWall TeslaCrypt
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START SpamTorte v2: http://cyber.verint.com/spamtorte-version-2/ Getting a hold of the details: Extra! http://cyber.verint.com/nymaim-malware-variant/
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Key takeaways Traditional schemes are not relevant for the goal of APT detection Machine Learning is key for uncovering unknown malicious traffic Collection is gold and should be considered the most crucial part of the operation, if not – may lead to very error-prone models C&C comms. are becoming rapidly encrypted (exp. Features)
LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Thank You Visit us at booth #G160!

Recommended

MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
Moshe Zioni
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructurePhreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Dan Kaminsky
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
Dan Kaminsky
 
How to deliver rich, real-time apps - AppsWorld 2014
How to deliver rich, real-time apps - AppsWorld 2014How to deliver rich, real-time apps - AppsWorld 2014
How to deliver rich, real-time apps - AppsWorld 2014
Andy Piper
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japan
Dan Kaminsky
 
Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017
APNIC
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting AutomationBiting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Alex Pinto
 

Recommended

MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
MQTT - for fun and profit - explore & exploit - OWASP IL 2017 v1.2
Moshe Zioni
 
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key InfrastructurePhreebird Suite 1.0: Introducing the Domain Key Infrastructure
Phreebird Suite 1.0: Introducing the Domain Key Infrastructure
Dan Kaminsky
 
Bh fed-03-kaminsky
Bh fed-03-kaminskyBh fed-03-kaminsky
Bh fed-03-kaminsky
Dan Kaminsky
 
How to deliver rich, real-time apps - AppsWorld 2014
How to deliver rich, real-time apps - AppsWorld 2014How to deliver rich, real-time apps - AppsWorld 2014
How to deliver rich, real-time apps - AppsWorld 2014
Andy Piper
 
Black ops of tcp2005 japan
Black ops of tcp2005 japanBlack ops of tcp2005 japan
Black ops of tcp2005 japan
Dan Kaminsky
 
Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017Encryption with DANE, NZNOG 2017
Encryption with DANE, NZNOG 2017
APNIC
 
MITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - OctoberMITRE ATTACKcon Power Hour - October
MITRE ATTACKcon Power Hour - October
MITRE - ATT&CKcon
 
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting AutomationBiting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Biting into the Jawbreaker: Pushing the Boundaries of Threat Hunting Automation
Alex Pinto
 
雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超
雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超
雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超
台灣資料科學年會
 
WEEK-01.pdf
WEEK-01.pdfWEEK-01.pdf
WEEK-01.pdf
Infraj1Circle
 
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tDefcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
pseudor00t overflow
 
Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01
Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01
Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01
MapR Technologies
 
4Developers 2015: Measure to fail - Tomasz Kowalczewski
4Developers 2015: Measure to fail - Tomasz Kowalczewski4Developers 2015: Measure to fail - Tomasz Kowalczewski
4Developers 2015: Measure to fail - Tomasz Kowalczewski
PROIDEA
 
Measure to fail
Measure to failMeasure to fail
Measure to fail
Tomasz Kowalczewski
 
Using Time Series for Full Observability of a SaaS Platform
Using Time Series for Full Observability of a SaaS PlatformUsing Time Series for Full Observability of a SaaS Platform
Using Time Series for Full Observability of a SaaS Platform
DevOps.com
 
Slides: How Automating Data Lineage Improves BI Performance
Slides: How Automating Data Lineage Improves BI PerformanceSlides: How Automating Data Lineage Improves BI Performance
Slides: How Automating Data Lineage Improves BI Performance
DATAVERSITY
 
Towards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity ModelTowards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity Model
Alex Pinto
 
StackStorm DevOps Automation Webinar
StackStorm DevOps Automation WebinarStackStorm DevOps Automation Webinar
StackStorm DevOps Automation Webinar
StackStorm
 
PinTrace Advanced AWS meetup
PinTrace Advanced AWS meetup PinTrace Advanced AWS meetup
PinTrace Advanced AWS meetup
Suman Karumuri
 
Anomaly Detection and You
Anomaly Detection and YouAnomaly Detection and You
Anomaly Detection and You
Mary Kelly Rich
 
Strata 2014 Anomaly Detection
Strata 2014 Anomaly DetectionStrata 2014 Anomaly Detection
Strata 2014 Anomaly Detection
Ted Dunning
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
Hogy néz ki egy pentest meló a gyakorlatban?
Hogy néz ki egy pentest meló a gyakorlatban?Hogy néz ki egy pentest meló a gyakorlatban?
Hogy néz ki egy pentest meló a gyakorlatban?
hackersuli
 
SANOG 33: Why is securing the Internet's routing system so hard
SANOG 33: Why is securing the Internet's routing system so hardSANOG 33: Why is securing the Internet's routing system so hard
SANOG 33: Why is securing the Internet's routing system so hard
APNIC
 
What we can learn from CDNs about Web Development, Deployment, and Performance
What we can learn from CDNs about Web Development, Deployment, and PerformanceWhat we can learn from CDNs about Web Development, Deployment, and Performance
What we can learn from CDNs about Web Development, Deployment, and Performance
Fastly
 
Everybody Lies
Everybody LiesEverybody Lies
Everybody Lies
Tomasz Kowalczewski
 
Velocity 2016 Speaking Session - Using Machine Learning to Determine Drivers ...
Velocity 2016 Speaking Session - Using Machine Learning to Determine Drivers ...Velocity 2016 Speaking Session - Using Machine Learning to Determine Drivers ...
Velocity 2016 Speaking Session - Using Machine Learning to Determine Drivers ...
SOASTA
 
Using machine learning to determine drivers of bounce and conversion
Using machine learning to determine drivers of bounce and conversionUsing machine learning to determine drivers of bounce and conversion
Using machine learning to determine drivers of bounce and conversion
Tammy Everts
 
Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 

More Related Content

Similar to InfoSecurity Europe 2017 - On The Hunt for Advanced Attacks? C&C Channels are a Good Place to Start

雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超
雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超
雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超
台灣資料科學年會
 
WEEK-01.pdf
WEEK-01.pdfWEEK-01.pdf
WEEK-01.pdf
Infraj1Circle
 
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tDefcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
pseudor00t overflow
 
Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01
Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01
Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01
MapR Technologies
 
4Developers 2015: Measure to fail - Tomasz Kowalczewski
4Developers 2015: Measure to fail - Tomasz Kowalczewski4Developers 2015: Measure to fail - Tomasz Kowalczewski
4Developers 2015: Measure to fail - Tomasz Kowalczewski
PROIDEA
 
Measure to fail
Measure to failMeasure to fail
Measure to fail
Tomasz Kowalczewski
 
Using Time Series for Full Observability of a SaaS Platform
Using Time Series for Full Observability of a SaaS PlatformUsing Time Series for Full Observability of a SaaS Platform
Using Time Series for Full Observability of a SaaS Platform
DevOps.com
 
Slides: How Automating Data Lineage Improves BI Performance
Slides: How Automating Data Lineage Improves BI PerformanceSlides: How Automating Data Lineage Improves BI Performance
Slides: How Automating Data Lineage Improves BI Performance
DATAVERSITY
 
Towards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity ModelTowards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity Model
Alex Pinto
 
StackStorm DevOps Automation Webinar
StackStorm DevOps Automation WebinarStackStorm DevOps Automation Webinar
StackStorm DevOps Automation Webinar
StackStorm
 
PinTrace Advanced AWS meetup
PinTrace Advanced AWS meetup PinTrace Advanced AWS meetup
PinTrace Advanced AWS meetup
Suman Karumuri
 
Anomaly Detection and You
Anomaly Detection and YouAnomaly Detection and You
Anomaly Detection and You
Mary Kelly Rich
 
Strata 2014 Anomaly Detection
Strata 2014 Anomaly DetectionStrata 2014 Anomaly Detection
Strata 2014 Anomaly Detection
Ted Dunning
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
Dinis Cruz
 
Hogy néz ki egy pentest meló a gyakorlatban?
Hogy néz ki egy pentest meló a gyakorlatban?Hogy néz ki egy pentest meló a gyakorlatban?
Hogy néz ki egy pentest meló a gyakorlatban?
hackersuli
 
SANOG 33: Why is securing the Internet's routing system so hard
SANOG 33: Why is securing the Internet's routing system so hardSANOG 33: Why is securing the Internet's routing system so hard
SANOG 33: Why is securing the Internet's routing system so hard
APNIC
 
What we can learn from CDNs about Web Development, Deployment, and Performance
What we can learn from CDNs about Web Development, Deployment, and PerformanceWhat we can learn from CDNs about Web Development, Deployment, and Performance
What we can learn from CDNs about Web Development, Deployment, and Performance
Fastly
 
Everybody Lies
Everybody LiesEverybody Lies
Everybody Lies
Tomasz Kowalczewski
 
Velocity 2016 Speaking Session - Using Machine Learning to Determine Drivers ...
Velocity 2016 Speaking Session - Using Machine Learning to Determine Drivers ...Velocity 2016 Speaking Session - Using Machine Learning to Determine Drivers ...
Velocity 2016 Speaking Session - Using Machine Learning to Determine Drivers ...
SOASTA
 
Using machine learning to determine drivers of bounce and conversion
Using machine learning to determine drivers of bounce and conversionUsing machine learning to determine drivers of bounce and conversion
Using machine learning to determine drivers of bounce and conversion
Tammy Everts
 

Similar to InfoSecurity Europe 2017 - On The Hunt for Advanced Attacks? C&C Channels are a Good Place to Start (20)

雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超
雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超
雲端影音與物聯網平台的軟體工程挑戰:以 Skywatch 為例-陳維超
 
WEEK-01.pdf
WEEK-01.pdfWEEK-01.pdf
WEEK-01.pdf
 
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00tDefcon 21-pinto-defending-networks-machine-learning by pseudor00t
Defcon 21-pinto-defending-networks-machine-learning by pseudor00t
 
Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01
Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01
Strata 2014-tdunning-anomaly-detection-140211162923-phpapp01
 
4Developers 2015: Measure to fail - Tomasz Kowalczewski
4Developers 2015: Measure to fail - Tomasz Kowalczewski4Developers 2015: Measure to fail - Tomasz Kowalczewski
4Developers 2015: Measure to fail - Tomasz Kowalczewski
 
Measure to fail
Measure to failMeasure to fail
Measure to fail
 
Using Time Series for Full Observability of a SaaS Platform
Using Time Series for Full Observability of a SaaS PlatformUsing Time Series for Full Observability of a SaaS Platform
Using Time Series for Full Observability of a SaaS Platform
 
Slides: How Automating Data Lineage Improves BI Performance
Slides: How Automating Data Lineage Improves BI PerformanceSlides: How Automating Data Lineage Improves BI Performance
Slides: How Automating Data Lineage Improves BI Performance
 
Towards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity ModelTowards a Threat Hunting Automation Maturity Model
Towards a Threat Hunting Automation Maturity Model
 
StackStorm DevOps Automation Webinar
StackStorm DevOps Automation WebinarStackStorm DevOps Automation Webinar
StackStorm DevOps Automation Webinar
 
PinTrace Advanced AWS meetup
PinTrace Advanced AWS meetup PinTrace Advanced AWS meetup
PinTrace Advanced AWS meetup
 
Anomaly Detection and You
Anomaly Detection and YouAnomaly Detection and You
Anomaly Detection and You
 
Strata 2014 Anomaly Detection
Strata 2014 Anomaly DetectionStrata 2014 Anomaly Detection
Strata 2014 Anomaly Detection
 
New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0New Era of Software with modern Application Security v1.0
New Era of Software with modern Application Security v1.0
 
Hogy néz ki egy pentest meló a gyakorlatban?
Hogy néz ki egy pentest meló a gyakorlatban?Hogy néz ki egy pentest meló a gyakorlatban?
Hogy néz ki egy pentest meló a gyakorlatban?
 
SANOG 33: Why is securing the Internet's routing system so hard
SANOG 33: Why is securing the Internet's routing system so hardSANOG 33: Why is securing the Internet's routing system so hard
SANOG 33: Why is securing the Internet's routing system so hard
 
What we can learn from CDNs about Web Development, Deployment, and Performance
What we can learn from CDNs about Web Development, Deployment, and PerformanceWhat we can learn from CDNs about Web Development, Deployment, and Performance
What we can learn from CDNs about Web Development, Deployment, and Performance
 
Everybody Lies
Everybody LiesEverybody Lies
Everybody Lies
 
Velocity 2016 Speaking Session - Using Machine Learning to Determine Drivers ...
Velocity 2016 Speaking Session - Using Machine Learning to Determine Drivers ...Velocity 2016 Speaking Session - Using Machine Learning to Determine Drivers ...
Velocity 2016 Speaking Session - Using Machine Learning to Determine Drivers ...
 
Using machine learning to determine drivers of bounce and conversion
Using machine learning to determine drivers of bounce and conversionUsing machine learning to determine drivers of bounce and conversion
Using machine learning to determine drivers of bounce and conversion
 

Recently uploaded

Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
SEO Article Boost
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
cuobya
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
cuobya
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
uehowe
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
ukwwuq
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
Trending Blogers
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
ysasp1
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
bseovas
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
xjq03c34
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
uehowe
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
Danica Gill
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
davidjhones387
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
uehowe
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
bseovas
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
vmemo1
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
hackersuli
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
Laura Szabó
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
Toptal Tech
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
fovkoyb
 

Recently uploaded (20)

Understanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdfUnderstanding User Behavior with Google Analytics.pdf
Understanding User Behavior with Google Analytics.pdf
 
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
假文凭国外(Adelaide毕业证)澳大利亚国立大学毕业证成绩单办理
 
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
可查真实(Monash毕业证)西澳大学毕业证成绩单退学买
 
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
留学挂科(UofM毕业证)明尼苏达大学毕业证成绩单复刻办理
 
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
制作原版1:1(Monash毕业证)莫纳什大学毕业证成绩单办理假
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
Explore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories SecretlyExplore-Insanony: Watch Instagram Stories Secretly
Explore-Insanony: Watch Instagram Stories Secretly
 
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
成绩单ps(UST毕业证)圣托马斯大学毕业证成绩单快速办理
 
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
留学学历(UoA毕业证)奥克兰大学毕业证成绩单官方原版办理
 
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
办理新西兰奥克兰大学毕业证学位证书范本原版一模一样
 
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
办理毕业证(NYU毕业证)纽约大学毕业证成绩单官方原版办理
 
7 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 20247 Best Cloud Hosting Services to Try Out in 2024
7 Best Cloud Hosting Services to Try Out in 2024
 
Discover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to IndiaDiscover the benefits of outsourcing SEO to India
Discover the benefits of outsourcing SEO to India
 
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
办理毕业证(UPenn毕业证)宾夕法尼亚大学毕业证成绩单快速办理
 
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
不能毕业如何获得(USYD毕业证)悉尼大学毕业证成绩单一比一原版制作
 
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
重新申请毕业证书(RMIT毕业证)皇家墨尔本理工大学毕业证成绩单精仿办理
 
[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024[HUN][hackersuli] Red Teaming alapok 2024
[HUN][hackersuli] Red Teaming alapok 2024
 
Gen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needsGen Z and the marketplaces - let's translate their needs
Gen Z and the marketplaces - let's translate their needs
 
Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!Ready to Unlock the Power of Blockchain!
Ready to Unlock the Power of Blockchain!
 
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
存档可查的(USC毕业证)南加利福尼亚大学毕业证成绩单制做办理
 

InfoSecurity Europe 2017 - On The Hunt for Advanced Attacks? C&C Channels are a Good Place to Start

  • 1. Moshe Zioni ( @dalmoz_ ) Security Research Manager, VERINT On the Hunt for Advanced Attacks? C&C Channels are a Good Place to Start
  • 2. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START • Why focus on C&C? • C&C - Landscape • Trends in C&C implementations • Traditional Approaches • Our approach • Limitations • Proof-of-Concept results • Takeaways • Q&A On The Agenda
  • 3. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START • Moshe Zioni ( @dalmoz_ ) • Leading a terrific group of talented researches at • Researching and developing cutting-edge, next generation detection engines for malicious activity on very big enterprises and ISPs. • Credit & Kudos goes to the Research team, especially to Eddie, Maria, Meir, Oren and Vadim, and to the Analysis team. WHOAMI – credits & kudos
  • 4. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START • Always present (almost) • Network interception is practical, contrast to other detection methods/layers • While malware tends to be polymorphic, communication protocol does not • An old problem – • Current schemes of detection are not so promising on detecting the ‘new’. • Traditional tactics rely heavily on somewhat naïve comparison. Why focus on C&C channels?
  • 5. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START C&C landscape DNS 9% HTTP 62% ICMP 5% NATIVE 14% P2P 10% Distribution of Protocols DNS HTTP ICMP NATIVE P2P Name Method Dridex P2P, HTTP Nano Locker ICMP Poisn Ivy HTTP FLAME HTTP CITADEL HTTP Bergard HTTP Vawtrack URLZONE HTTP BlackMoon HTTP Wekby DNS ZeUS (GOZ) HTTP (P2P) DORKBOT HTTP SIMDA NATIVE + HTTP REGIN NATIVE (TCP + UDP ) +ICMP + HTTP SOUNDFIX-11 HTTP JAKUcalc HTTP /NATIVE TCP / DNS TrickBot HTTP GOZNYM P2P
  • 6. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Trends in C&C implementations Rapid, fast to respond, evolution Encryption of transmissions and payload Encapsulation of transmissions Steganography of messages P2P – Forget about SPOF
  • 7. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Traditional Approaches • Blacklists/ known patterns • Constantly needs upkeep and maintenance • Low False Positive • Forever rely Intelligence and Analysis • Not suitable at all to find ‘unknown’ schemes • High False Negative • Markov models • ARMA • Baseline comparison • Assuming normal traffic differ, in statistic modelling, of malicious traffic, might reveal novel schemes • This assumption is failing many times in current trends. • High False Positive Rate Signature based detection Anomaly based detection
  • 8. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Our approach Choosing an alternate path
  • 9. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START What Do We Need? We need something robust, that can “think” of many possibilities. Rely on what we do know and induce further. Fast (polynomial) results. MACHINE LEARNING - For The Win!
  • 10. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Enter Machine Learning Machine Learning is the science of providing a computer with the ability to “learn” by example and teach itself to find patterns. There are many methods of ML – each one has its pros and cons. The model ‘learns’ from known, classified data, and extrapolate to achieve even nontrivial results. (for a human) Evolved from Pattern Recognition and Artificial Intelligence studies.
  • 11. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Supervised Learning Rely on labelled training data. Collection is key for optimized model and for reducing error levels Data sample set should be comprised of encompassing, diverse and relevant data. We used Decision Tree-Random Forest based Supervised learning
  • 12. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Feature Extraction SUIT TIE CHARM SMILE BAD-TEETH CAT CLASS
  • 13. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Feature Extraction SUIT TIE CHARM SMILE BAD-TEETH CAT CLASS
  • 14. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Feature Extraction SUIT TIE CHARM SMILE BAD-TEETH CAT CLASS
  • 15. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Feature Extraction SUIT TIE CHARM SMILE BAD-TEETH CAT CLASS
  • 16. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Session • Time differences • # of bytes • How many requests got an answer? • How much time it took to get an answer? TCP • 5-Tuple information • Protocol • IP Payload • Handshake data • Flags • Flow count Feature selection in TCP/HTTP Protocol specific - HTTP: • What is the length of the host name? • Body length • # of unique URI calls within the session • # of “user agent” strings used & values • How many file types were downloaded? • What is the average status code? • What is the avg. length of the URI? • Number of parameters SSL/TLS • Certificate metadata • Negotiatied cipher-suite
  • 17. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Appropriate data collection and feature engineering is crucial for a proper, effective, model Machine learning results are hard to interpret – most of the times the question of ‘How did the machine decided that is malicious traffic?!’ - Is not straight-forwardly answered. Do not succumb to overfitting. (e.g. params/samples >> 1) But, first
  • 18. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START In-the-Wild POC Sample Results
  • 19. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START POST /some/uri.php HTTP/1.1 layer=cXJjb3JtYUJxamNwaW5jcWdwcSxhbW8=&dimm=Pl dRR1A8YG12bGd2XW9ja25ncD4tV1FHUDwIPkxDT0c8IG9ja25ncGB teiA+LUxDT0c8CD5RV0BIPHFyY28iYG12bGd2ImtsImNhdmttbD4tU VdASDwIPlFATUZbPAhWamtxIm9ncXFjZWcidWNxInFnbHYiZHBtbyJj ImFtb3JwbW9rcWdmIm9jYWprbGcsCD4tU UBNRls8&err=1 (Source: Akamai) Spamtorte – old version comm.
  • 20. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Old version body contents: layer=cXJjb3JtYUJxamNwaW5jcWdwcSxhbW8=&dimm=Pl dRR1A8YG12bGd2XW9ja25ncD4tV1FHUDwIPkxDT0c8IG9ja25ncGBteiA+LUxDT0c 8CD5RV0BIPHFyY28iYG12bGd2ImtsImNhdmttbD4tUVdASDwIPlFATUZbPAhWamtxIm9ncXFjZWcidWNxInFnbHYiZHBtbyJjI mFtb3JwbW9rcWdmIm9jYWprbGcsCD4tU UBNRls8&err=1 (Source: Akamai) New version POST Request body contents: (keeping the first letter and randomizing, 2-5 chars each) ljj=Y24sZXBnZ2xnNTs1OyxjZUJlb2NrbixhbW8hY2hY24sZXdjcGZCbmdjdGt2dixhb W8hY24sZXdY2tuLGFtbyFjbixld2tjcGZCam12b2NrbixkcCFjbixld2tjcGZCbmNybXF2 ZyxsZ3YhY24sZXdrYG10a2FqQmVvY2tuLGFtbw3%3D&dhgxbg=PldRR1A8Zm1sY2 5mcW1sNDQ6Pi1XUUdrcWo9Ij5gcDwiPmBwPCJwZ3JueyJvZyJrZCJ7bXcidW13bm YibmtpZyJ2bSJxZ2cib3sicmptdm1xLCJRZ2cie21&ejv=o Spamtorte - version comparison
  • 21. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Spamtorte – Malware Upgrades Filename MD5 Size OLD (32bit version) 1faf27f6b8e8a9cadb611f668a01cf73 47,509 OLD (64bit version) cb0477445fef9c5f1a5b6689bbfb941e 52,515 NEW (32bit version) c547177e6f8b2cb8be26185073d64edc 87,875 NEW (64bit version) d04c492a5b78516a7a36cc2e1e8bf521 95,063
  • 22. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Spamtorte - what made the machine spot it?? Relevant samples were from several sources, found to be “similar” to: CryptoWall TeslaCrypt
  • 23. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START SpamTorte v2: http://cyber.verint.com/spamtorte-version-2/ Getting a hold of the details: Extra! http://cyber.verint.com/nymaim-malware-variant/
  • 24. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Key takeaways Traditional schemes are not relevant for the goal of APT detection Machine Learning is key for uncovering unknown malicious traffic Collection is gold and should be considered the most crucial part of the operation, if not – may lead to very error-prone models C&C comms. are becoming rapidly encrypted (exp. Features)
  • 25. LOOKING FOR APTS? C&C IS A GOOD PLACE TO START Thank You Visit us at booth #G160!

Editor's Notes

  1. HTTP/S definitions UDP/TCP ICMP Social networks? Dridex is p2p or http?
  2. tegonagraphy? Social networks?
  3. Autoregressive moving average
  4. TRAINING DATA Easy example - Small set – cannot really extrapolate from a small bunch Collection is key! Bias is dangerous – diversity, robust, clean
  5. TRAINING DATA Easy example - Small set – cannot really extrapolate from a small bunch Collection is key! Bias is dangerous – diversity, robust, clean
  6. TRAINING DATA Easy example - Small set – cannot really extrapolate from a small bunch Collection is key! Bias is dangerous – diversity, robust, clean
  7. TRAINING DATA Easy example - Small set – cannot really extrapolate from a small bunch Collection is key! Bias is dangerous – diversity, robust, clean
  8. Per domain features – sessions instead of http specific features Another option is to add certificate to the circle together with other ssl/tls features
  9. The payload itself (body) is different – Json -
  10. Samples from samples – add some pcaps or at least names of families of which we derived this conclusion Similarity breakdown (Columns malware_prediction), [count of alert] 1000052 -  [~300] - CryptoWall 1000053 – [~ 100 ]-  TeslaCrypt