Extracting the Malware Signal from Internet Noise
- 3. Tactical Insights from Global Trends
• My network is being scanned/attacked
– Am I being targeted specifically?
– Are other people seeing this as well?
• A vulnerability has been disclosed
– Is anyone probing for this vulnerability?
– Is anyone exploiting this vulnerability?
3
- 4. 4
Faraday
A Global Network of Sensors
Untargeted
Malware
Geographically &
Logically
Dispersed
Omnidirectional
Internet Traffic for
Collection &
Analysis
If something is *not* in Faraday, it is likely targeted
- 7. Four Kinds of Traffic on Your Network
The difference between these can be hundreds of thousands of $$ in incident response
Worm, Mass
Exploit
Campaign
Regular Web
User
Advanced
Persistent
Threat
Search Engines
(e.g. Google)
MaliciousBenign
Omnidirectional Targeted
7
- 8. My Network is Being Attacked
Omnidirectional Malicious
$ faraday --ip
123.123.123.123 | wc -l
42013
Targeted Malicious
$ faraday --ip 1.2.3.4|
wc -l
0
8
- 9. A Vulnerability Has Been Disclosed
• Is anyone probing for this vulnerability?
• Is anyone massively exploiting this vulnerability?
9
- 10. Cisco CVE-2016-1287
Cisco ASA Software IKEv1
and IKEv2
Buffer Overflow Vulnerability
• Critical
• Disclosed Feb 10, 2016
• Affects all Cisco ASAs
0
500
1000
1500
2000
2500
3000
Faraday Port 500
Faraday Port
500
10
- 11. Cisco CVE-2016-1287
The spike and diversity of IP addresses over time implies:
• People are not just probing, but actively targeting it
• Where they are coming from
• Who may have known about the vulnerability prior to public
disclosure
• It is not (yet) being massively exploited
11
- 12. Redis CVE-2015-4335
• Remote code execution vulnerability in
Redis
– Built and deployed a custom Redis sensor
less than 24 hours after the vulnerability was
published
– Observed attacker behavior
– Recorded attacker IP addresses
12
- 14. Fun Stuff
• Data Science Early Warning Applications
• Dangling DNS
• Bandwidth budget calculation
• Worm tracking
• Search engine spoofing
• Reflected DDOS attacks
• Provider threat model
14
- 15. Really Fun Stuff
• Integration into Endgame cyber operations platform
– Visibility into novel attacker techniques
– Ability to collect new malware samples
– Input into reputation services
– Situational awareness
- 16. Conclusion
• Whether an attack is targeted or not
• Derive Internet-wide vulnerability exploitation
attempts
• Collect omnidirectionally targeted malware
samples
16
Editor's Notes
- Changed title - was ‘Problems’
- See slide 19 for previous version, here’s the text for you to either speak to or add back in case I emphasized the wrong points:
Network of sensors
Geographically and locally diverse
Collect, catalogue, and analyze omnidirectional Internet traffic
If something is *not* in Faraday, it is targeted
By collecting all omnidirectional traffic, we can reduce it from regular traffic
Distinguish all “background noise”
Collect untargeted malware
- I stole the check marks from Phil’s – I kind of like that it adds color, and reinforces the positive, but can easily be convinced they aren’t necessary
See slide 22, 23 for previous versions
- See hidden slide 20 for original version
- See hidden slide 21 for previous version
- Got rid of scanned in the header since it only covers malicious in the body; see slide 24 for original
- Combined this with a build out to lead into the example
- See slide 25 for original – added graph and reorganized
Yellow circle only appears on a build, you can delete, but may be useful visually to show how small the numbers were prior, not that it was non-existent
Should the title of the graph have ‘scans’ or something like that after Port 500?
Omitted the following text from the next slide “Huge spike in relevant traffic when this vulnerability was disclosed” as you can speak to it here with the chart, and it segues well to next slide.
- When I was working on this earlier today, Bobby came by and noted this would be a good place to reiterate probing vs exploited with the language I gave it. It was previously:
Faraday told us:
Yes, people are actively probing for this
Where they were coming from
Who may have known about the vulnerability prior to public disclosure
Is it not (yet) being massively exploited
- Added early warning with data science
- Removed the ‘or not’s, since that is implied
- I stole the check marks from Phil’s – I kind of like that it adds color, and reinforces the positive, but can easily be convinced they aren’t necessary
See slide 22, 23 for previous versions