SlideShare a Scribd company logo

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline

Download as PPTX, PDF
Lastline, Inc.
Lastline, Inc.

This document summarizes a presentation given by Dr. Engin Kirda on reacting to advanced cyberattacks in real-time using Lastline's detection platform. The presentation discusses how malware has become more sophisticated, evasive, and targeted. Lastline takes a unique approach to detection by using full system emulation in their sandbox environment, which allows them to detect malware that evades traditional antivirus solutions and virtualized sandboxes. The Lastline platform components work together to analyze suspicious files, correlate events into high-level incidents, share threat intelligence, and help automatically mitigate breaches across an organization's network in real-time.

Related slideshows

Detecting Evasive Malware in Sandbox
Detecting Evasive Malware in SandboxDetecting Evasive Malware in Sandbox
Detecting Evasive Malware in Sandbox
 
H@dfex 2015 malware analysis
H@dfex 2015 malware analysisH@dfex 2015 malware analysis
H@dfex 2015 malware analysis
 
My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)My Keynote from BSidesTampa 2015 (video in description)
My Keynote from BSidesTampa 2015 (video in description)
 
1 of 31
Reacting to Advanced, Unknown Attacks in Real-Time with Lastline Engin Kirda // engin@lastline.com Ph.D., Prof., Co-Founder & Chief Architect, Lastline www.lastline.com
Me • Professor at Northeastern University, Boston – started malware research in about 2004 – Helped build and release popular malware analysis and detection systems (Anubis, Exposure, …) • Co-founder of Lastline, Inc. – Lastline offers protection against zero-day threats and advanced malware – Commercialization of many years of advanced research Copyright ©2014 Lastline, Inc. All rights reserved. 2
Overview of This Talk • Introduction to the Problem • Evasive Malware (Backoff examples) • Automatically Mitigating Breaches • Conclusion Copyright ©2014 Lastline, Inc. All rights reserved. 3
Cyberattack (R)Evolution Targeted Attacks and Cyberwar !!! Time $$ Damage Billions Millions Hundreds of Thousands Thousands Hundreds Cybercrime Cybervandalism $$$ #@! Copyright ©2014 Lastline, Inc. All rights reserved. 4
Online Crime is a Business • Klikparty, 2007 Copyright ©2014 Lastline, Inc. All rights reserved. 5
Online Crime is a Business • Klikparty, 2007 Copyright ©2014 Lastline, Inc. All rights reserved. 6
Malware is a Problem of Scale … Copyright ©2014 Lastline, Inc. All rights reserved. 7
… and Sophistication Current solutions fail to protect organizations from sophisticated, targeted attacks. Simple Threats Opportunistic Attacks APT Solutions Antivirus Solutions Security Gap Targeted Attacks Packing Sophisticated Threats Plain Virus Poly-morphic C&C Fluxing Persistent Threats Evasive Threats Copyright ©2014 Lastline, Inc. All rights reserved. 8
Lastline Labs AV Vendor Review Antivirus systems take months to catch up to highly evasive threats. Copyright ©2014 Lastline, Inc. All rights reserved. 9
You’ve Probably Read This: Recent Payment Breaches • The last year has seen a dramatic escalation in the number of breached PoS systems • Many of these PoS payloads, like Backoff, evaded installed defenses and alarms • In few cases an early alarm was received, but it was ignored since indistinguishable from the background noise. Copyright ©2014 Lastline, Inc. All rights reserved. 10
What is Backoff? • Malware used in numerous breaches in the last year • Secret Service currently estimates 1,000+ U.S. businesses affected • Targeted to PoS systems • Evades analysis Copyright ©2014 Lastline, Inc. All rights reserved. 11
What is Backoff? [1 Slide Summary from Kyle] • Product screenshot? • Mention evasive behaviors exhibited Copyright ©2014 Lastline, Inc. All rights reserved. 12
What is Backoff? • Timing evasion (an anti-VM technique) • Utilizes code obfuscation • Also uses rare and poorly emulated instructions to defeat simple emulators • Attempts to encrypt parts of the command and control traffic Copyright ©2014 Lastline, Inc. All rights reserved. 13
How are the attackers deploying it? • Scan for Internet facing Remote Desktop applications • Brute force login credentials • Often successfully find administrative credentials • Use admin credentials to deploy Backoff to remote PoS systems Copyright ©2014 Lastline, Inc. All rights reserved. 14
Understanding Evasive Malware Malware authors are not stupid • Clearly, they got the news that sandboxes are all the rage now • since the code is executed, malware authors have options Evasion defined • Develop code that exhibits no malicious behavior in a traditional sandbox, but still infects the intended target • Can be achieved in a variety of ways… Copyright ©2014 Lastline, Inc. All rights reserved. 15
Understanding Evasive Malware • Malware can detect underlying runtime environment – differences between virtualized and bare metal environment – checks based on system (CPU) features – artifacts in the operating system • Malware can detect signs of specific analysis environments – checks based on operating system artifacts (files, processes, …) • Malware can avoid being analyzed – tricks in making code run that analysis system does not see – wait until someone clicks something – time out analysis before any interesting behaviors are revealed – simple sleeps, but more sophisticated implementations possible Copyright ©2014 Lastlin1e6, Inc. All rights reserved.
3 Ways to Build a Sandbox Not all sandbox solutions can detect highly evasive malware. Copyright ©2014 Lastline, Inc. All rights reserved. 17
Virtualized Sandboxing vs. Full System Emulation Even APT Solutions with virtualized sandboxing fail to detect highly evasive malware. Copyright ©2014 Lastline, Inc. All rights reserved. 18
Lastline Platform Components Sensor Analyzes network, email, web, and mobile traffic. Detects callbacks and extracts objects for advanced malware analysis and stops cyber threats. Manager Correlates low-level threat events into high-level network incident views of network and object activity. Engine Analyzes objects with a next-generation sandbox using full-system emulation. This approach allows for greater visibility into advanced malware. Threat Intel Offers a rich knowledge base of malicious network sources and objects containing advanced cyber threats built through machine learning, web crawling, emulated browsers, automated and dynamic techniques. API Provides ability to submit objects for advanced malware analysis from any third-party sensor or system, queries the Threat Intelligence and displays pertinent threat information. software software software subscription software Copyright ©2014 Lastline, Inc. All rights reserved. 19
Lastline Enterprise On-Premise Suitable for those environments with tight requirements in terms of privacy and compliance. Customers may decide to share anonymous information with the Lastline Labs Copyright ©2014 Lastline, Inc. All rights reserved. 20
Lastline Enterprise Hosted Suitable for those customers who want to minimize the operational effort Copyright ©2014 Lastline, Inc. All rights reserved. 21
Technology Plays a Crucial Role but… • Deploying an advanced solution to detect and mitigate a breach is a crucial input for the breach detection process • However, to fully leverage the detection capabilities, the platform must be easily integrated into an organization from both a technology and a process perspective Copyright ©2014 Lastline, Inc. All rights reserved. 22
It’s Part of a Multi-Phase Process Copyright ©2014 Lastline, Inc. All rights reserved. Assess the Environment Deploy the Components Correlate the Information Share the Actionable Threat Intelligence Automatically Enforce Countermeasures • Who, when, where, how? • Avoid the “Target Syndrome”; • Build a process that is incident-based rather then event-based; • Deploy a Scalable Architecture; • Provide a comprehensive coverage in terms of attack vectors; Reduce the TCO and boost the ROI; • Quickly and Seamlessly adapt to changes; • Provide multi-dimensional actionable threat intelligence; • Feed Automated Systems (SIEM, Trouble Ticketing); • Identify reliable IOCs • Use the correlated information to quickly enforce countermeasures 23
Correlate the Information Copyright ©2014 Lastline, Inc. All rights reserved. • Lastline Enterprise Platform provides an incident-centric view, rather then an event-centric view • Single events are post-processed and summarized into high-level incidents 28
Correlate the Information Copyright ©2014 Lastline, Inc. All rights reserved. Stage 1: Connection to the Drive-By Site Stage 3: Malicious C&C connections Stage 2: Malicious Binary Download Everything correlated into a single incident Security Analysts look at a single incident rather than 4 separated events Result of the correlation process: Drive-by + Malicious Binary Download = ------------------------------------ Endpoint successfully compromised! 29
Share the Actionable Threat Intelligence • The post-processed information can be exported to external devices • For further integration, Lastline API can be easily integrated with existing security infrastructures • SWGs (Secure Web Gateways), IPSs (Intrusion Protection System), NGFWs (Next-Generation Firewalls) and SIEM (Security Information Event Management) installations can all interoperate seamlessly with Lastline Enterprise Copyright ©2014 Lastline, Inc. All rights reserved. 30
Providing Multi-Dimensional Information… • The information provided by the Lastline Enterprise reports can be used at different levels  Operational level: extract the information to contain and mitigate the breach  Analytical level: perform post-mortem forensic analysis Copyright ©2014 Lastline, Inc. All rights reserved. 31
Detailed Information for Security Analysts Copyright ©2014 Lastline, Inc. All rights reserved. Security Analysts can extract the Process Dumps and analyse them on Ida PRO It is also possible to derive reliable IoC. 32
Automatically Mitigating the Breach User n User 1 Exploit Site C&C Site 1 2 3 5 Feedback To Global Threat Intelligence User 2 4 Copyright ©2014 Lastline, Inc. All rights reserved. 33
• The sensor detects an advanced threat for the organization • The artifact is analyzed by the Lastline Engine leveraging full system emulation • The manager triggers an alert using post processing and correlation to ensure it is displayed with the right priority; • The information can be automatically transmitted in real time to the third parties products part of the Lastline Defense Program, or virtually to any other technology by means of the Lastline API • Other occurrences of the same threats are immediately detected and blocked Copyright ©2014 Lastline, Inc. All rights reserved. 1 2 3 4 5 Mitigating the Breach 34
Thank You! For more information visit www.lastline.com or contact us at info@lastline.com.

More Related Content

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline

  • 1. Reacting to Advanced, Unknown Attacks in Real-Time with Lastline Engin Kirda // engin@lastline.com Ph.D., Prof., Co-Founder & Chief Architect, Lastline www.lastline.com
  • 2. Me • Professor at Northeastern University, Boston – started malware research in about 2004 – Helped build and release popular malware analysis and detection systems (Anubis, Exposure, …) • Co-founder of Lastline, Inc. – Lastline offers protection against zero-day threats and advanced malware – Commercialization of many years of advanced research Copyright ©2014 Lastline, Inc. All rights reserved. 2
  • 3. Overview of This Talk • Introduction to the Problem • Evasive Malware (Backoff examples) • Automatically Mitigating Breaches • Conclusion Copyright ©2014 Lastline, Inc. All rights reserved. 3
  • 4. Cyberattack (R)Evolution Targeted Attacks and Cyberwar !!! Time $$ Damage Billions Millions Hundreds of Thousands Thousands Hundreds Cybercrime Cybervandalism $$$ #@! Copyright ©2014 Lastline, Inc. All rights reserved. 4
  • 5. Online Crime is a Business • Klikparty, 2007 Copyright ©2014 Lastline, Inc. All rights reserved. 5
  • 6. Online Crime is a Business • Klikparty, 2007 Copyright ©2014 Lastline, Inc. All rights reserved. 6
  • 7. Malware is a Problem of Scale … Copyright ©2014 Lastline, Inc. All rights reserved. 7
  • 8. … and Sophistication Current solutions fail to protect organizations from sophisticated, targeted attacks. Simple Threats Opportunistic Attacks APT Solutions Antivirus Solutions Security Gap Targeted Attacks Packing Sophisticated Threats Plain Virus Poly-morphic C&C Fluxing Persistent Threats Evasive Threats Copyright ©2014 Lastline, Inc. All rights reserved. 8
  • 9. Lastline Labs AV Vendor Review Antivirus systems take months to catch up to highly evasive threats. Copyright ©2014 Lastline, Inc. All rights reserved. 9
  • 10. You’ve Probably Read This: Recent Payment Breaches • The last year has seen a dramatic escalation in the number of breached PoS systems • Many of these PoS payloads, like Backoff, evaded installed defenses and alarms • In few cases an early alarm was received, but it was ignored since indistinguishable from the background noise. Copyright ©2014 Lastline, Inc. All rights reserved. 10
  • 11. What is Backoff? • Malware used in numerous breaches in the last year • Secret Service currently estimates 1,000+ U.S. businesses affected • Targeted to PoS systems • Evades analysis Copyright ©2014 Lastline, Inc. All rights reserved. 11
  • 12. What is Backoff? [1 Slide Summary from Kyle] • Product screenshot? • Mention evasive behaviors exhibited Copyright ©2014 Lastline, Inc. All rights reserved. 12
  • 13. What is Backoff? • Timing evasion (an anti-VM technique) • Utilizes code obfuscation • Also uses rare and poorly emulated instructions to defeat simple emulators • Attempts to encrypt parts of the command and control traffic Copyright ©2014 Lastline, Inc. All rights reserved. 13
  • 14. How are the attackers deploying it? • Scan for Internet facing Remote Desktop applications • Brute force login credentials • Often successfully find administrative credentials • Use admin credentials to deploy Backoff to remote PoS systems Copyright ©2014 Lastline, Inc. All rights reserved. 14
  • 15. Understanding Evasive Malware Malware authors are not stupid • Clearly, they got the news that sandboxes are all the rage now • since the code is executed, malware authors have options Evasion defined • Develop code that exhibits no malicious behavior in a traditional sandbox, but still infects the intended target • Can be achieved in a variety of ways… Copyright ©2014 Lastline, Inc. All rights reserved. 15
  • 16. Understanding Evasive Malware • Malware can detect underlying runtime environment – differences between virtualized and bare metal environment – checks based on system (CPU) features – artifacts in the operating system • Malware can detect signs of specific analysis environments – checks based on operating system artifacts (files, processes, …) • Malware can avoid being analyzed – tricks in making code run that analysis system does not see – wait until someone clicks something – time out analysis before any interesting behaviors are revealed – simple sleeps, but more sophisticated implementations possible Copyright ©2014 Lastlin1e6, Inc. All rights reserved.
  • 17. 3 Ways to Build a Sandbox Not all sandbox solutions can detect highly evasive malware. Copyright ©2014 Lastline, Inc. All rights reserved. 17
  • 18. Virtualized Sandboxing vs. Full System Emulation Even APT Solutions with virtualized sandboxing fail to detect highly evasive malware. Copyright ©2014 Lastline, Inc. All rights reserved. 18
  • 19. Lastline Platform Components Sensor Analyzes network, email, web, and mobile traffic. Detects callbacks and extracts objects for advanced malware analysis and stops cyber threats. Manager Correlates low-level threat events into high-level network incident views of network and object activity. Engine Analyzes objects with a next-generation sandbox using full-system emulation. This approach allows for greater visibility into advanced malware. Threat Intel Offers a rich knowledge base of malicious network sources and objects containing advanced cyber threats built through machine learning, web crawling, emulated browsers, automated and dynamic techniques. API Provides ability to submit objects for advanced malware analysis from any third-party sensor or system, queries the Threat Intelligence and displays pertinent threat information. software software software subscription software Copyright ©2014 Lastline, Inc. All rights reserved. 19
  • 20. Lastline Enterprise On-Premise Suitable for those environments with tight requirements in terms of privacy and compliance. Customers may decide to share anonymous information with the Lastline Labs Copyright ©2014 Lastline, Inc. All rights reserved. 20
  • 21. Lastline Enterprise Hosted Suitable for those customers who want to minimize the operational effort Copyright ©2014 Lastline, Inc. All rights reserved. 21
  • 22. Technology Plays a Crucial Role but… • Deploying an advanced solution to detect and mitigate a breach is a crucial input for the breach detection process • However, to fully leverage the detection capabilities, the platform must be easily integrated into an organization from both a technology and a process perspective Copyright ©2014 Lastline, Inc. All rights reserved. 22
  • 23. It’s Part of a Multi-Phase Process Copyright ©2014 Lastline, Inc. All rights reserved. Assess the Environment Deploy the Components Correlate the Information Share the Actionable Threat Intelligence Automatically Enforce Countermeasures • Who, when, where, how? • Avoid the “Target Syndrome”; • Build a process that is incident-based rather then event-based; • Deploy a Scalable Architecture; • Provide a comprehensive coverage in terms of attack vectors; Reduce the TCO and boost the ROI; • Quickly and Seamlessly adapt to changes; • Provide multi-dimensional actionable threat intelligence; • Feed Automated Systems (SIEM, Trouble Ticketing); • Identify reliable IOCs • Use the correlated information to quickly enforce countermeasures 23
  • 24. Correlate the Information Copyright ©2014 Lastline, Inc. All rights reserved. • Lastline Enterprise Platform provides an incident-centric view, rather then an event-centric view • Single events are post-processed and summarized into high-level incidents 28
  • 25. Correlate the Information Copyright ©2014 Lastline, Inc. All rights reserved. Stage 1: Connection to the Drive-By Site Stage 3: Malicious C&C connections Stage 2: Malicious Binary Download Everything correlated into a single incident Security Analysts look at a single incident rather than 4 separated events Result of the correlation process: Drive-by + Malicious Binary Download = ------------------------------------ Endpoint successfully compromised! 29
  • 26. Share the Actionable Threat Intelligence • The post-processed information can be exported to external devices • For further integration, Lastline API can be easily integrated with existing security infrastructures • SWGs (Secure Web Gateways), IPSs (Intrusion Protection System), NGFWs (Next-Generation Firewalls) and SIEM (Security Information Event Management) installations can all interoperate seamlessly with Lastline Enterprise Copyright ©2014 Lastline, Inc. All rights reserved. 30
  • 27. Providing Multi-Dimensional Information… • The information provided by the Lastline Enterprise reports can be used at different levels  Operational level: extract the information to contain and mitigate the breach  Analytical level: perform post-mortem forensic analysis Copyright ©2014 Lastline, Inc. All rights reserved. 31
  • 28. Detailed Information for Security Analysts Copyright ©2014 Lastline, Inc. All rights reserved. Security Analysts can extract the Process Dumps and analyse them on Ida PRO It is also possible to derive reliable IoC. 32
  • 29. Automatically Mitigating the Breach User n User 1 Exploit Site C&C Site 1 2 3 5 Feedback To Global Threat Intelligence User 2 4 Copyright ©2014 Lastline, Inc. All rights reserved. 33
  • 30. • The sensor detects an advanced threat for the organization • The artifact is analyzed by the Lastline Engine leveraging full system emulation • The manager triggers an alert using post processing and correlation to ensure it is displayed with the right priority; • The information can be automatically transmitted in real time to the third parties products part of the Lastline Defense Program, or virtually to any other technology by means of the Lastline API • Other occurrences of the same threats are immediately detected and blocked Copyright ©2014 Lastline, Inc. All rights reserved. 1 2 3 4 5 Mitigating the Breach 34
  • 31. Thank You! For more information visit www.lastline.com or contact us at info@lastline.com.

Editor's Notes

  1. In several
  2. And now let us introduce the topic
  3. rtdsc looping (timing evasion) obfuscation uses a mildly obfuscated code (oligomorphic decryptor), multistage encrypted shellcode, runpe/hollowing, encryption track/keylogger data sent to c2 is encrypted; networked based detection of the c2 still quite easy -> enterprise could detect it reliably, but DLP mechanisms would fail
  4. Using publicly available services and tools for each step
  5. Before introducing the topic, it’s worthwhile to provide a high level overview of the Lastline Platform, to make sure the audience will follow correctly the following slides.
  6. Two quick slides to describe the architecture of our platform. To quickly emphasize the scalable architecture, which de-couple the role of the analysis and security enforcement points.
  7. The meaning of this slide is a very old meme: the power is useless without control. The technology is a mandatory starting point, but it must be easy to integrate to let the organization unleash the full range of capabilities. I won’t ever use the term remediation, since it may have different meanings (cleaning the endpoint or verify the IOCs). Besides according to my experience, not all the CxOs believe remediation is possible. Rather I believe could be better to use terms such as containment and/or mitigation.
  8. The concept of multi-dimensional information is explained later. Maybe the term is exaggerated (on purpose). The meaning is that the information can be used for both operation engineers and security analysts.
  9. I used the term Breach Mitigation
  10. I used the term Breach Mitigation
  11. I used the term Breach Mitigation
  12. I used the term Breach Mitigation
  13. It is important to stress here that we do not forward single sparse events but the post processed information.
  14. Maybe here it’s worth to mention that this is a real backoff sample analysed in August.