Paolo Passeri - A Multi Layered Approach to Threat Intelligence

MILAN 20/21.11.2015
A Multi Layered Approach to Threat
Intelligence
Paolo Passeri

MILAN 20/21.11.2015 - Paolo Passeri
Powered by OpenGraphiti
Malware is Increasingly Sophisticated but…

• Cybercrime is lucrative and is offered as a service
• Barrier to entry opportunistic attacks is low
• State sponsored attacks and organized crime are well founded
• New malware samples emerge at unprecedented pace
• Malware is more and more sophisticated, even for opportunistic attacks
…The Entry Barrier is low
20001990 1995 2005 2010 2015 2020
Viruses
1990–2000
Worms
2000–2005
Spyware and Rootkits
2005–Today
APTs Crime as a Service
Today +
Hacking Becomes
an Industry
Sophisticated Attacks,
Complex Landscape
Phishing, Low
Sophistication
Addressing the Full Attack Continuum: Before, During, and After an Attack: http://www.cisco.com/web/learning/le21/le34/assets/events/i/gar tner_BDA_W hitepaper.pdf

An Increased Attack Surface
ADOPTION OF
CLOUD SERVICES
Users are increasingly
adopting cloud based
productivity tools bypassing
centralized controls and
accessing the services from
any device, anywhere.
By 2018, 25% of corporate
data traffic will bypass the
perimeter security,
connecting directly mobile
devices to the cloud.
Since this traffic bypasses
the perimeter, by 2016 30%
of targeted attacks will
specifically target remote
offices and entry points.
SHIFTING
PARADIGM
New attack vectors have
changed the security
model: attacker do not
penetrate the defensed
directly but lure the victims
to be compromised.

Observable Elements During Attack Lifecycle
Attackers’ Payloads
Exploit Kit or Custom Code
Known or Zero-Day Vulnerability
Hardcode or DGA Callbacks
Communication Port/Protocols
Attackers Themselves
Tools, Tactics & Procedures
Industries & Data Targeted
Motivations & Affiliations
Languages & Geo-Regions
Attackers’ Infrastructure
Setup Networks (& ASNs)
Setup Servers (& Nameservers)
Allocate IP Address Space
Register (& Flux) Domains

RECON STAGE CALLBACK PERSISTLAUNCH EXPLOIT INSTALL
PAYLOAD
Exploit Kit or Custom Code
Known or Zero-Day Vulnerability
Hardcode or DGA Callbacks
Communication Port/Protocols
ATTACKER
Tools, Tactics & Procedures
Industries & Data Targeted
Motivations & Affiliations
Languages & Geo-Regions
INFRASTRUCTURE
Setup Networks (& ASNs)
Setup Servers (& Nameservers)
Allocate IP Address Space
Register (& Flux) Domains
OBSERVABLE ELEMENTS
Hours to Months Seconds Months
Opportunistic
Targeted
TARGET BREACHCOMPROMISE
PIVOT
The Kill Chain (a possible model)

MONTHSHOURSMINUTES
Breach occurs In 60% of cases attackers are able
to compromise an organization
within minutes.
The average time to discover a
breach caused by an external
attacker is 256 days.
START
Source: Verizon Data Breach Report 2015, Ponemon Data Brech Cost 2015
Impact of a Breach
75% of attacks observed spread
from one victim to another within
24 hours, and over 40% hit the
second organization one hour
later

Anatomy of a Drive-By/Watering-Hole Attack
STAGE
Attackers identify a
legitimate vulnerable site
and inject a malicious
iFrame.
The unaware victim
visits the compromised
page.
LAUNCH
EXPLOIT The iFrame redirects the
user to an Exploit Kit
landing page. The EK
exploits a client
vulnerability to inject the
payload.
INSTALL
The Endpoint is
compromised and under
direct control of the
attacker
Drive-By attacks are used for opportunistic campaigns, watering-holeattacks for targeted campaigns.
In both cases the attacker can deploy sophisticated malware.
CALLBACK

Anatomy of a Spear Phishing Attack
Attackers identify the
victim’s habits and
weaknesses
(technological and
behavioural).
The malicious message
is sent, it exploits
software and human
vulnerabilities.
The Human Vulnerability
leads the user to open the
attachment. The software
vulnerability executes
arbitrary code once the
attachment is opened.
The Endpoint is
compromised and under
direct control of the
attacker
Subject: Your Pay rise0-day
RECON
STAGE
LAUNCH
EXPLOIT
INSTALL
CALLBACK
PERSIST

RECON STAGE
TARGET
CALLBACK PERSIST
BREACH
LAUNCH EXPLOIT INSTALL
COMPROMISE
PIVOT
Infrastructure
Domain Classification
Network
FW/IPS, Web/Email Gateways,
1st
Gen Network Sandboxes
Endpoint
AV, 1st
Gen Sandbox
Infrastructure
Domain Classification,
IP/Domain Reputation
Infrastructure
Domain
Classification
. IP/Domain
Reputation
Network
FW/IPS, Web
Gateways,
IP/Domain
Reputation
Countermeasures
Countermeasures
Endpoint
AV, 1st
Gen
Sandbox
Policies
User Education

RECON STAGE
TARGET
CALLBACK PERSIST
BREACH
LAUNCH EXPLOIT INSTALL
COMPROMISE
PIVOT
Infrastructure
Obfuscation, Domain
Shadowing
Network
Encryption, Obfuscation
Steganography
Endpoint
Packing, Polymorphism (AV
Evasion), Sandbox Detection
Infrastructure
Malvertising, Obfuscation,
Domain Shadowing
Infrastructure
Hardcoded IP,
DGA, Fast
Flux, P2P,
TOR
callbacks.
And the multiple Ways to Evade Them
Evasion
Endpoint
Polymorphism
(AV Evasion),
Sandbox
Detection
CALLBACK

Evading Network Detection

Evading Detection: Network and Reputation
Attackers can use multiple ways to avoid
detection at the network level
During the Install Phase:
• Encrypted Payload on legitimate
traffic/ports.
• Use of DDoS attacks to cloak subtle
operations.
• Malvertising spreading malicious content
on legitimate sites via Ad networks (hard to
detect and categorise).
During the callback phase:
• Use encrypted protocols, P2P, TOR
callbacks
• Callbacks, hidden in Social Network,
legitimate forum pages…
• DGA, Fast-Flux, Domain shadowing

Evading Detection: Evolution of Callbacks & Domain
Shadowing
HARD-CODED IP
@23.4.24.1
“FAST FLUX”
@23.4.24.1
bad.com?
@34.4.2.110
@23.4.34.55
@44.6.11.8
@129.3.6.3
DOMAIN GENERATION
ALGORITHM
rnd.com?
@34.4.2.110
rnd.biz?
@8.2.130.3
@12.3.2.1
@67.44.21.1
DOMAIN
SHADOWING
@129.3.6.3
@23.4.24.1
hjacklegitdomain.com
decg
dojamg
rnd.net?

Evading Categorization: Exploit Kit Landing Pages
• Attackers try to obfuscate EK landing
pages to avoid categorization from AV
or other security solutions.
• Latest techniques include adding
passages of classic text (the example
reports several passages from “Sense
and Sensibility)
• The use of text from more
contemporary works such as
magazines and blogs is another
effectivestrategy. Source: Cisco Security Research

Fighting AV Detection

• Building AV signatures is a time consuming
and error-prone process.
• Cybercrime-as-a-service models make the
entry barrier low.
• On average, 390,000 new malicious
programs are detected every day
• 95 % of malware types show up for less
than a month and 4 of 5 don’t last beyond a
week.
• 70–90% of malware samples are unique
to an organization.
• Keeping up it’s simply impossible, as well as
useless.
source: http://avtest.org, Verizon 2015 DBIR Report
Evading Detection: Endpoint/Network AV

Do you Want to Play in My Sandbox?

• Sandboxes have been conceived to
overcome the limitation of signature-
based analysis.
• Malware authors are increasing their
use of sandbox detection
techniques.
• Evasion techniques are becoming
more and more sophisticated:
• sleeping,
• stalling loops,
• hypervisor checks, registry checks,
Memory and vCores enumeration
• Human activity checks,
• API calls executed directly in
assembler. Example of several evasion techniques from http://www.malwarestats.org
Evading Detection: Sandboxes
Sophistication

Nothing to see (and to detect) here… Please disperse…

Source: http://blogs.forrester.com/rick_holland/14-05-20-introducing_forresters_targeted_attack_hierarchy_of_needs
Targeted Attack Hierarchy of Needs

Building a Solid Foundation
• Trying to fight advanced threats
ignoring the fundamentals is not an
effective approach.
• Focus on identifying a realistic
security strategy, recruit the right
staff and implement the basic
countermeasures.

An Integrated Portfolio that Enables
Orchestration
This concept applies to Processes and
technologies.
• Create a process framework that
removes “silos” and allows
communication between internal
entities.
• When evaluating technology, prioritize
vendors that offer multiple pillars as
well as those that have third-‐party
integrations that make
operationalizing thesolution effective.

BEFORE
Discover
Enforce
Harden
AFTER
Scope
Contain
Remediate
Detect
Block
Defend
DURING
VISIBILITY
AND
CONTEXT
BEFORE
Comprehensive awareness and
visibility in order to predict
threats, educate users,
implement policies and controls.
BEFORE
DURING
Identify the threat context.
Collect and correlate data from
multiple points. Evolve into a
continual analysis process.
DURING
AFTER
Apply a retrospective security
model: continuously gather
and analyze data to create
security intelligence.
AFTER
Gain Visibility Through the Attack Continuum
Open | Pervasive | Integrated | Continuous
http://www.cisco.com/web/learning/le21/le34/assets/events/i/gartner_BDA_Whitepaper.pdf

With an Adaptive Security Architecture
Source: Gartner: Designing an Adaptive Security Architecture for Protection From Advanced Attacks

Enforce Cloud Based Threat Intelligence to predict attacks
before they happen.
• DNS/WHOIS/Email/ASN allows to pivot through the
attacker infrastructure
PREVENT
Enforce the first level of Security at the DNS level: consider
the DNS as the gate to the Internet
Build a framework of solutions that interoperate and allow to
exchange in real time threat models and IoCs among the
different layers:
• NGFW/NGIPS
• Network based Sandboxes
• Email Security/Web Security Gateways
Enforce Cloud Based Threat Intelligence to perform
retrospective Analysis
RECON
STAGE
LAUNCH
EXPLOIT
INSTALL
CALLBACK
PERSIST
Cloud
Based
Threat
Intelligence
DETECT
RESPOND
Open|Pervasive|Integrated|Continuous
PREDICT
Deploy a Multi Layer Approach

Example: The Diamond Model of Intrusion Analysis
Adversary
Victim
Infrastructure Capability
IP Addresses
Domain Names
ASN
Email Addresses
Malware
Exploits
Hacker Tools
Personas
Network Assets
Email Addresses
Persona: email
addresses, handles, phone #’s
Network Assets
Source: The Diamond Model of Intrusion Analysis: http://www.dtic.mil/dtic/ tr/fulltext/ u2/a586960.pdf
Meta Features
• Timestamp
• Phase
• Result
• Direction
• Methodology
• Resources
An adversary deploys a capability over some
infrastructure against a victim. These activities are
called events. Analysts or machines populate the
model’s vertices as events are discovered and
detected. The vertices are linked with edges
highlighting the natural relationship between the
features.

Adversary
Victim
Infrastructure Capability
1
The victim (organization)
discovers a threat
2
Threat contains C2 domain
3
C2 domain resolves to C2 IP
4
Logs reveal further Victims
contacting C2 IP
5
IP Address ownership
reveals adversary
Source: The Diamond Model of Intrusion Analysis: http://www.dtic.mil/dtic/ tr/fulltext/ u2/a586960.pdf
By pivoting across edges and within
vertices, analysts expose more information
about adversary operations and discover
new capabilities, infrastructure, and
victims.
Applying The Diamond Model

Conclusions
• Malware is more and more
sophisticated and the entry barrier is
low from both a technical and
economical standpoint.
• The growing adoption of cloud
services and a new attack paradigm
(in->out) increase the attack surface.
• Evasion techniques are increasingly
common and are becoming more
and more aggressive.
• A multi layer approach to threat
intelligence allows to pivot through
the attackers’ infrastructure, making
the target able to: predict, detect and
perform retrospective analysis.

Leave your feedback on Joind.in!
https://m.joind.in/event/codemotion-milan-2015

Paolo Passeri - A Multi Layered Approach to Threat Intelligence

Recommended

Recommended

More Related Content

What's hot

What's hot (19)

Viewers also liked

Viewers also liked (8)

Similar to Paolo Passeri - A Multi Layered Approach to Threat Intelligence

Similar to Paolo Passeri - A Multi Layered Approach to Threat Intelligence (20)

More from Codemotion

More from Codemotion (20)

Recently uploaded

Recently uploaded (20)

Paolo Passeri - A Multi Layered Approach to Threat Intelligence