SlideShare a Scribd company logo

Extracting the Malware Signal from Internet Noise

E
EndgameInc

1) Faraday is a global network of sensors that collects untargeted malware and internet traffic geographically and logically dispersed to extract the malware signal from internet noise. 2) The sensors can provide insights into whether attacks on a network are targeted or omnidirectional mass exploits, and monitor for probing and exploitation of newly disclosed vulnerabilities. 3) The data collected by Faraday can be used for early warning applications, tracking worms and attackers, and integrating with cyber operations platforms to gain visibility into novel techniques and collect new malware samples.

Related slideshows

Hunting on the cheap
Hunting on the cheapHunting on the cheap
Hunting on the cheap
 
Python-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming OperationPython-Assisted Red-Teaming Operation
Python-Assisted Red-Teaming Operation
 
TTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil RefineriesTTPs for Threat hunting In Oil Refineries
TTPs for Threat hunting In Oil Refineries
 
1 of 18
Extracting the Malware Signal from Internet Noise Andrew Morris, Researcher 1
# whoami • Andrew Morris • Background in offense • R&D @ Endgame 2
Tactical Insights from Global Trends • My network is being scanned/attacked – Am I being targeted specifically? – Are other people seeing this as well? • A vulnerability has been disclosed – Is anyone probing for this vulnerability? – Is anyone exploiting this vulnerability? 3
4 Faraday A Global Network of Sensors Untargeted Malware Geographically & Logically Dispersed Omnidirectional Internet Traffic for Collection & Analysis If something is *not* in Faraday, it is likely targeted
Capabilities Iptables HTTP Telnet FTP SSH Strategic Packet Capture Custom sensors 5
Faraday Architecture 6
Four Kinds of Traffic on Your Network The difference between these can be hundreds of thousands of $$ in incident response Worm, Mass Exploit Campaign Regular Web User Advanced Persistent Threat Search Engines (e.g. Google) MaliciousBenign Omnidirectional Targeted 7
My Network is Being Attacked Omnidirectional Malicious $ faraday --ip 123.123.123.123 | wc -l 42013 Targeted Malicious $ faraday --ip 1.2.3.4| wc -l 0 8
A Vulnerability Has Been Disclosed • Is anyone probing for this vulnerability? • Is anyone massively exploiting this vulnerability? 9
Cisco CVE-2016-1287 Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability • Critical • Disclosed Feb 10, 2016 • Affects all Cisco ASAs 0 500 1000 1500 2000 2500 3000 Faraday Port 500 Faraday Port 500 10
Cisco CVE-2016-1287 The spike and diversity of IP addresses over time implies: • People are not just probing, but actively targeting it • Where they are coming from • Who may have known about the vulnerability prior to public disclosure • It is not (yet) being massively exploited 11
Redis CVE-2015-4335 • Remote code execution vulnerability in Redis – Built and deployed a custom Redis sensor less than 24 hours after the vulnerability was published – Observed attacker behavior – Recorded attacker IP addresses 12
CVE-????-???? • Traffic observed targeted unknown devices • No known vulnerabilities on services running on those ports 13
Fun Stuff • Data Science Early Warning Applications • Dangling DNS • Bandwidth budget calculation • Worm tracking • Search engine spoofing • Reflected DDOS attacks • Provider threat model 14
Really Fun Stuff • Integration into Endgame cyber operations platform – Visibility into novel attacker techniques – Ability to collect new malware samples – Input into reputation services – Situational awareness
Conclusion • Whether an attack is targeted or not • Derive Internet-wide vulnerability exploitation attempts • Collect omnidirectionally targeted malware samples 16
17 Questions?
Thank You! amorris@endgame.com @andrew___morris 18

More Related Content

Extracting the Malware Signal from Internet Noise

  • 1. Extracting the Malware Signal from Internet Noise Andrew Morris, Researcher 1
  • 2. # whoami • Andrew Morris • Background in offense • R&D @ Endgame 2
  • 3. Tactical Insights from Global Trends • My network is being scanned/attacked – Am I being targeted specifically? – Are other people seeing this as well? • A vulnerability has been disclosed – Is anyone probing for this vulnerability? – Is anyone exploiting this vulnerability? 3
  • 4. 4 Faraday A Global Network of Sensors Untargeted Malware Geographically & Logically Dispersed Omnidirectional Internet Traffic for Collection & Analysis If something is *not* in Faraday, it is likely targeted
  • 7. Four Kinds of Traffic on Your Network The difference between these can be hundreds of thousands of $$ in incident response Worm, Mass Exploit Campaign Regular Web User Advanced Persistent Threat Search Engines (e.g. Google) MaliciousBenign Omnidirectional Targeted 7
  • 8. My Network is Being Attacked Omnidirectional Malicious $ faraday --ip 123.123.123.123 | wc -l 42013 Targeted Malicious $ faraday --ip 1.2.3.4| wc -l 0 8
  • 9. A Vulnerability Has Been Disclosed • Is anyone probing for this vulnerability? • Is anyone massively exploiting this vulnerability? 9
  • 10. Cisco CVE-2016-1287 Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability • Critical • Disclosed Feb 10, 2016 • Affects all Cisco ASAs 0 500 1000 1500 2000 2500 3000 Faraday Port 500 Faraday Port 500 10
  • 11. Cisco CVE-2016-1287 The spike and diversity of IP addresses over time implies: • People are not just probing, but actively targeting it • Where they are coming from • Who may have known about the vulnerability prior to public disclosure • It is not (yet) being massively exploited 11
  • 12. Redis CVE-2015-4335 • Remote code execution vulnerability in Redis – Built and deployed a custom Redis sensor less than 24 hours after the vulnerability was published – Observed attacker behavior – Recorded attacker IP addresses 12
  • 13. CVE-????-???? • Traffic observed targeted unknown devices • No known vulnerabilities on services running on those ports 13
  • 14. Fun Stuff • Data Science Early Warning Applications • Dangling DNS • Bandwidth budget calculation • Worm tracking • Search engine spoofing • Reflected DDOS attacks • Provider threat model 14
  • 15. Really Fun Stuff • Integration into Endgame cyber operations platform – Visibility into novel attacker techniques – Ability to collect new malware samples – Input into reputation services – Situational awareness
  • 16. Conclusion • Whether an attack is targeted or not • Derive Internet-wide vulnerability exploitation attempts • Collect omnidirectionally targeted malware samples 16

Editor's Notes

  1. Changed title - was ‘Problems’
  2. See slide 19 for previous version, here’s the text for you to either speak to or add back in case I emphasized the wrong points: Network of sensors Geographically and locally diverse Collect, catalogue, and analyze omnidirectional Internet traffic If something is *not* in Faraday, it is targeted By collecting all omnidirectional traffic, we can reduce it from regular traffic Distinguish all “background noise” Collect untargeted malware
  3. I stole the check marks from Phil’s – I kind of like that it adds color, and reinforces the positive, but can easily be convinced they aren’t necessary See slide 22, 23 for previous versions
  4. See hidden slide 20 for original version
  5. See hidden slide 21 for previous version
  6. Got rid of scanned in the header since it only covers malicious in the body; see slide 24 for original
  7. Combined this with a build out to lead into the example
  8. See slide 25 for original – added graph and reorganized Yellow circle only appears on a build, you can delete, but may be useful visually to show how small the numbers were prior, not that it was non-existent Should the title of the graph have ‘scans’ or something like that after Port 500? Omitted the following text from the next slide “Huge spike in relevant traffic when this vulnerability was disclosed” as you can speak to it here with the chart, and it segues well to next slide.
  9. When I was working on this earlier today, Bobby came by and noted this would be a good place to reiterate probing vs exploited with the language I gave it. It was previously: Faraday told us: Yes, people are actively probing for this Where they were coming from Who may have known about the vulnerability prior to public disclosure Is it not (yet) being massively exploited
  10. Added early warning with data science
  11. Removed the ‘or not’s, since that is implied
  12. I stole the check marks from Phil’s – I kind of like that it adds color, and reinforces the positive, but can easily be convinced they aren’t necessary See slide 22, 23 for previous versions