Reacting to Advanced, Unknown Attacks in Real-Time with Lastline
- 1. Reacting to Advanced, Unknown Attacks in
Real-Time with Lastline
Engin Kirda // engin@lastline.com
Ph.D., Prof., Co-Founder & Chief Architect, Lastline
www.lastline.com
- 2. Me
• Professor at Northeastern University, Boston
– started malware research in about 2004
– Helped build and release popular malware analysis and
detection systems (Anubis, Exposure, …)
• Co-founder of Lastline, Inc.
– Lastline offers protection against zero-day threats and
advanced malware
– Commercialization of many years of advanced research
Copyright ©2014 Lastline, Inc. All rights reserved. 2
- 3. Overview of This Talk
• Introduction to the Problem
• Evasive Malware (Backoff examples)
• Automatically Mitigating Breaches
• Conclusion
Copyright ©2014 Lastline, Inc. All rights reserved. 3
- 4. Cyberattack (R)Evolution
Targeted Attacks
and Cyberwar
!!!
Time
$$ Damage
Billions
Millions
Hundreds of
Thousands
Thousands
Hundreds
Cybercrime
Cybervandalism $$$
#@!
Copyright ©2014 Lastline, Inc. All rights reserved. 4
- 5. Online Crime is a Business
• Klikparty, 2007
Copyright ©2014 Lastline, Inc. All rights reserved. 5
- 6. Online Crime is a Business
• Klikparty, 2007
Copyright ©2014 Lastline, Inc. All rights reserved. 6
- 7. Malware is a Problem of Scale …
Copyright ©2014 Lastline, Inc. All rights reserved. 7
- 8. … and Sophistication
Current solutions fail to protect
organizations from sophisticated,
targeted attacks.
Simple Threats
Opportunistic Attacks
APT
Solutions
Antivirus
Solutions
Security Gap
Targeted Attacks
Packing
Sophisticated Threats
Plain
Virus
Poly-morphic
C&C
Fluxing
Persistent
Threats
Evasive
Threats
Copyright ©2014 Lastline, Inc. All rights reserved. 8
- 9. Lastline Labs AV Vendor Review
Antivirus systems take months to catch up to highly evasive threats.
Copyright ©2014 Lastline, Inc. All rights reserved.
9
- 10. You’ve Probably Read This:
Recent Payment Breaches
• The last year has seen a dramatic escalation in the number of
breached PoS systems
• Many of these PoS payloads, like Backoff, evaded installed
defenses and alarms
• In few cases an early alarm was received, but it was ignored
since indistinguishable from the background noise.
Copyright ©2014 Lastline, Inc. All rights reserved. 10
- 11. What is Backoff?
• Malware used in numerous breaches in the last year
• Secret Service currently estimates 1,000+ U.S. businesses affected
• Targeted to PoS systems
• Evades analysis
Copyright ©2014 Lastline, Inc. All rights reserved. 11
- 12. What is Backoff?
[1 Slide Summary from Kyle]
• Product screenshot?
• Mention evasive behaviors exhibited
Copyright ©2014 Lastline, Inc. All rights reserved. 12
- 13. What is Backoff?
• Timing evasion (an anti-VM technique)
• Utilizes code obfuscation
• Also uses rare and poorly emulated instructions to defeat simple
emulators
• Attempts to encrypt parts of the command and control traffic
Copyright ©2014 Lastline, Inc. All rights reserved. 13
- 14. How are the attackers deploying it?
• Scan for Internet facing Remote Desktop applications
• Brute force login credentials
• Often successfully find administrative credentials
• Use admin credentials to deploy Backoff to remote PoS systems
Copyright ©2014 Lastline, Inc. All rights reserved. 14
- 15. Understanding Evasive Malware
Malware authors are not stupid
• Clearly, they got the news that sandboxes are all the rage now
• since the code is executed, malware authors have options
Evasion defined
• Develop code that exhibits no malicious behavior in a traditional
sandbox, but still infects the intended target
• Can be achieved in a variety of ways…
Copyright ©2014 Lastline, Inc. All rights reserved. 15
- 16. Understanding Evasive Malware
• Malware can detect underlying runtime environment
– differences between virtualized and bare metal environment
– checks based on system (CPU) features
– artifacts in the operating system
• Malware can detect signs of specific analysis environments
– checks based on operating system artifacts (files, processes, …)
• Malware can avoid being analyzed
– tricks in making code run that analysis system does not see
– wait until someone clicks something
– time out analysis before any interesting behaviors are revealed
– simple sleeps, but more sophisticated implementations possible
Copyright ©2014 Lastlin1e6, Inc. All rights reserved.
- 17. 3 Ways to Build a Sandbox
Not all sandbox solutions can detect highly evasive malware.
Copyright ©2014 Lastline, Inc. All rights reserved. 17
- 18. Virtualized Sandboxing vs. Full System Emulation
Even APT Solutions with virtualized sandboxing fail to detect highly evasive malware.
Copyright ©2014 Lastline, Inc. All rights reserved. 18
- 19. Lastline Platform Components
Sensor Analyzes network, email, web, and mobile traffic. Detects
callbacks and extracts objects for advanced malware
analysis and stops cyber threats.
Manager Correlates low-level threat events into high-level network
incident views of network and object activity.
Engine Analyzes objects with a next-generation sandbox using full-system
emulation. This approach allows for greater visibility
into advanced malware.
Threat Intel Offers a rich knowledge base of malicious network sources
and objects containing advanced cyber threats built through
machine learning, web crawling, emulated browsers,
automated and dynamic techniques.
API Provides ability to submit objects for advanced malware
analysis from any third-party sensor or system, queries the
Threat Intelligence and displays pertinent threat
information.
software
software
software
subscription
software
Copyright ©2014 Lastline, Inc. All rights reserved. 19
- 20. Lastline Enterprise On-Premise
Suitable for those environments with tight requirements in terms of privacy and
compliance. Customers may decide to share anonymous information with the Lastline Labs
Copyright ©2014 Lastline, Inc. All rights reserved.
20
- 21. Lastline Enterprise Hosted
Suitable for those customers who want to minimize the operational effort
Copyright ©2014 Lastline, Inc. All rights reserved. 21
- 22. Technology Plays a Crucial Role but…
• Deploying an advanced solution to detect and mitigate a
breach is a crucial input for the breach detection process
• However, to fully leverage the detection capabilities, the
platform must be easily integrated into an organization from
both a technology and a process perspective
Copyright ©2014 Lastline, Inc. All rights reserved. 22
- 23. It’s Part of a Multi-Phase Process
Copyright ©2014 Lastline, Inc. All rights reserved.
Assess the Environment
Deploy the
Components
Correlate the
Information
Share the
Actionable
Threat
Intelligence
Automatically
Enforce
Countermeasures
• Who, when,
where, how?
• Avoid the “Target
Syndrome”;
• Build a process
that is incident-based
rather then
event-based;
• Deploy a Scalable
Architecture;
• Provide a
comprehensive
coverage in terms
of attack vectors;
Reduce the TCO
and boost the ROI;
• Quickly and
Seamlessly adapt
to changes;
• Provide multi-dimensional
actionable threat
intelligence;
• Feed Automated
Systems (SIEM,
Trouble Ticketing);
• Identify reliable
IOCs
• Use the correlated
information to
quickly enforce
countermeasures
23
- 24. Correlate the Information
Copyright ©2014 Lastline, Inc. All rights reserved.
• Lastline Enterprise
Platform provides an
incident-centric view,
rather then an event-centric
view
• Single events are post-processed
and
summarized into high-level
incidents
28
- 25. Correlate the Information
Copyright ©2014 Lastline, Inc. All rights reserved.
Stage 1: Connection
to the Drive-By Site
Stage 3: Malicious
C&C connections
Stage 2: Malicious
Binary Download
Everything
correlated into a
single incident
Security Analysts look at a
single incident rather than
4 separated events
Result of the correlation process:
Drive-by +
Malicious Binary Download =
------------------------------------
Endpoint successfully compromised!
29
- 26. Share the Actionable Threat Intelligence
• The post-processed information can
be exported to external devices
• For further integration, Lastline API
can be easily integrated with existing
security infrastructures
• SWGs (Secure Web Gateways), IPSs
(Intrusion Protection System), NGFWs
(Next-Generation Firewalls) and SIEM
(Security Information Event
Management) installations can all
interoperate seamlessly with Lastline
Enterprise
Copyright ©2014 Lastline, Inc. All rights reserved.
30
- 27. Providing Multi-Dimensional Information…
• The information provided by the Lastline Enterprise reports can be
used at different levels
Operational level: extract the information to contain and mitigate the breach
Analytical level: perform post-mortem forensic analysis
Copyright ©2014 Lastline, Inc. All rights reserved.
31
- 28. Detailed Information for Security Analysts
Copyright ©2014 Lastline, Inc. All rights reserved.
Security Analysts
can extract the
Process Dumps and
analyse them on
Ida PRO
It is also possible to
derive reliable IoC.
32
- 29. Automatically Mitigating the Breach
User n
User 1
Exploit Site
C&C Site
1
2
3
5
Feedback To
Global Threat
Intelligence
User 2
4
Copyright ©2014 Lastline, Inc. All rights reserved.
33
- 30. • The sensor detects an advanced threat for the organization
• The artifact is analyzed by the Lastline Engine leveraging full
system emulation
• The manager triggers an alert using post processing and
correlation to ensure it is displayed with the right priority;
• The information can be automatically transmitted in real time to
the third parties products part of the Lastline Defense Program,
or virtually to any other technology by means of the Lastline API
• Other occurrences of the same threats are immediately
detected and blocked
Copyright ©2014 Lastline, Inc. All rights reserved.
1
2
3
4
5
Mitigating the Breach
34
- 31. Thank You!
For more information visit www.lastline.com
or contact us at info@lastline.com.
Editor's Notes
- In several
- And now let us introduce the topic
- rtdsc looping (timing evasion)
obfuscation uses a mildly obfuscated code (oligomorphic decryptor), multistage encrypted shellcode, runpe/hollowing, encryption
track/keylogger data sent to c2 is encrypted; networked based detection of the c2 still quite easy -> enterprise could detect it reliably, but DLP mechanisms would fail
- Using publicly available services and tools for each step
- Before introducing the topic, it’s worthwhile to provide a high level overview of the Lastline Platform, to make sure the audience will follow correctly the following slides.
- Two quick slides to describe the architecture of our platform. To quickly emphasize the scalable architecture, which de-couple the role of the analysis and security enforcement points.
- The meaning of this slide is a very old meme: the power is useless without control.
The technology is a mandatory starting point, but it must be easy to integrate to let the organization unleash the full range of capabilities.
I won’t ever use the term remediation, since it may have different meanings (cleaning the endpoint or verify the IOCs). Besides according to my experience, not all the CxOs believe remediation is possible. Rather I believe could be better to use terms such as containment and/or mitigation.
- The concept of multi-dimensional information is explained later. Maybe the term is exaggerated (on purpose). The meaning is that the information can be used for both operation engineers and security analysts.
- I used the term Breach Mitigation
- I used the term Breach Mitigation
- I used the term Breach Mitigation
- I used the term Breach Mitigation
- It is important to stress here that we do not forward single sparse events but the post processed information.
- Maybe here it’s worth to mention that this is a real backoff sample analysed in August.