distilling & investigating network activity at scale - seclab · distilling & investigating...
TRANSCRIPT
Distilling & Investigating
Network Activity at Scale
University of California, Santa Barbara
University of California, Berkeley
Georgia Institute of Technology
ARO/MURI Annual Review November 19, 2014
Vern Paxson
Mission Cyber-Assets
CO
As
Mission Model Cyber-Assets
Model
Sensor Alerts
Corr
ela
tion E
ngin
e
Analysis to get up-to-date view of cyber-assets
Analysis to determine dependencies between assets and missions
Impact Analysis
Create semantically-rich view of cyber-mission status
Simulation/Live Security Exercises
Predict Future Actions
Analyze and Characterize Attackers
Data
D
ata
Data
Data
Data
Observations: Netflow, Probing, Time analysis
Real World Enterprise Network
Mission Cyber-Assets
CO
As
Mission Model Cyber-Assets
Model
Sensor Alerts
Corr
ela
tion E
ngin
e
Analysis to get up-to-date view of cyber-assets
Analysis to determine dependencies between assets and missions
Impact Analysis
Create semantically-rich view of cyber-mission status
Simulation/Live Security Exercises
Predict Future Actions
Analyze and Characterize Attackers
Data
D
ata
Data
Data
Data
Observations: Netflow, Probing, Time analysis
Real World Enterprise Network
Sensor Alerts
Data
D
ata
Data
Data
Data
Mission Cyber-Assets
CO
As
Mission Model Cyber-Assets
Model
Sensor Alerts
Corr
ela
tion E
ngin
e
Analysis to get up-to-date view of cyber-assets
Analysis to determine dependencies between assets and missions
Impact Analysis
Create semantically-rich view of cyber-mission status
Simulation/Live Security Exercises
Predict Future Actions
Analyze and Characterize Attackers
Data
D
ata
Data
Data
Data
Observations: Netflow, Probing, Time analysis
Real World Enterprise Network
Sensor Alerts
Data
D
ata
Data
Data
Data
Enterprise Visibility Inferring Asset Aliasing
Browser Subversion Threats
VAST: Visibility Across Space & Time Enterprise-Scale Investigatory Platform
Augmenting the Local Perspective With Global Information
• Distilling network activity at scale – Browser subversion threats (UCB, UCSB, ICSI) – Enterprise visibility
• Protocol analysis (ICSI, UCB) • Inferring asset aliasing (UCB, ICSI)
– Integrating global vantage points to local perspectives
• SSL Notary (ICSI, UCB) • SumStats (ICSI)
• Investigating network activity at scale – VAST: Visibility Across Space and Time (UCB, ICSI)
Overview
Mission Cyber-Assets
CO
As
Mission Model Cyber-Assets
Model
Sensor Alerts
Corr
ela
tion E
ngin
e
Analysis to get up-to-date view of cyber-assets
Analysis to determine dependencies between assets and missions
Impact Analysis
Create semantically-rich view of cyber-mission status
Simulation/Live Security Exercises
Predict Future Actions
Analyze and Characterize Attackers
Data
D
ata
Data
Data
Data
Observations: Netflow, Probing, Time analysis
Real World Enterprise Network
Mission Cyber-Assets
CO
As
Mission Model Cyber-Assets
Model
Sensor Alerts
Corr
ela
tion E
ngin
e
Analysis to get up-to-date view of cyber-assets
Analysis to determine dependencies between assets and missions
Impact Analysis
Create semantically-rich view of cyber-mission status
Simulation/Live Security Exercises
Predict Future Actions
Analyze and Characterize Attackers
Data
D
ata
Data
Data
Data
Observations: Netflow, Probing, Time analysis
Real World Enterprise Network
Predict Future Actions
Analyze and Characterize Attackers
Data
D
ata
D
ata
D
ata
Browser Subversion Threats
Compromising the browser
Extensions
Malware
● Modify requests (e.g., affiliate fraud)
● Inject page modifications (e.g., ads)
● Keylogging (for visited pages)
● Steal credentials (authenticators)
What can a malicious extension do?
Anything malicious that you can do with
JavaScript having access to the visited page,
the web requests, the browser’s cookies
Approach (Hulk)
● Install extension in Chrome inside a VM
● Visit select & specially crafted pages
● Monitor extension’s activity
● Classify behavior
HoneyPage
<html>
</html>
document.getElementById(“fb_newsfeed”)
<div id=“fb_newsfeed”></div>
Event handler fuzzing
● Extensions register to intercept network
events …
● … We oblige them!
● Pretend to visit Alexa top 1 million domains
● Point to a HoneyPage
● Takes <10 sec on average
Malicious behavior indicators
● Prevents extension uninstall
● Steals email/password from form
● Contains keylogging functionality
● Manipulates security-related HTTP headers
● Uninstalls extensions
Suspicious behavior heuristics
● Injects dynamic JavaScript
● Evals with input >128 chars long
● Produces HTTP 4xx errors
● Performs requests to non-existent domains
Results
● 47,940 extensions from Chrome Web Store
● 392 extensions from Anubis
Analysis result Count
Benign 43,490
Suspicious 4,712
Malicious 130
“SimilarSites Pro”
“SimilarSites Pro”
Enough for “watering hole” attacks …
Defenses
● Prohibit:
● Manipulating configuration pages e.g.,
chrome://extensions
● Uninstalling extensions
● Removing security-related HTTP headers
● Hooking keyboard events
● Require: ● Local inclusion of static files instead of dynamic
JavaScript inclusions
Limitations
● Dynamic analysis incomplete
● Targeted attacks (location, time)
● Multistep/conditional queries of DOM
elements in HoneyPages
● Evasions against HoneyPages
Mission Cyber-Assets
CO
As
Mission Model Cyber-Assets
Model
Sensor Alerts
Corr
ela
tion E
ngin
e
Analysis to get up-to-date view of cyber-assets
Analysis to determine dependencies between assets and missions
Impact Analysis
Create semantically-rich view of cyber-mission status
Simulation/Live Security Exercises
Predict Future Actions
Analyze and Characterize Attackers
Data
D
ata
Data
Data
Data
Observations: Netflow, Probing, Time analysis
Real World Enterprise Network
Mission Cyber-Assets
CO
As
Mission Model Cyber-Assets
Model
Sensor Alerts
Corr
ela
tion E
ngin
e
Analysis to get up-to-date view of cyber-assets
Analysis to determine dependencies between assets and missions
Impact Analysis
Create semantically-rich view of cyber-mission status
Simulation/Live Security Exercises
Predict Future Actions
Analyze and Characterize Attackers
Data
D
ata
Data
Data
Data
Observations: Netflow, Probing, Time analysis
Real World Enterprise Network
Analysis to get up-to-date view of cyber-assets
Analysis to determine dependencies between assets and missions
Data
Data
Observations: Netflow, Probing, Time analysis
Data
Data
Enterprise Visibility Inferring Asset Aliasing
General problem scope: how can remote vantage
points (network monitoring; servers) recognize
recurring instances of the same client?
IP addresses do not suffice: mobility, NAT, DHCP
With control over servers: easy
Use cookies or equivalent
Absent server-side control: hard
Challenge: can we comprehensively identify latent
trackers manifest anywhere in client traffic?
Idea: mine traces for strings unique to known
clients
Inferring Asset Aliasing
Analysis built on 8-byte strings
To date: 16 days of ICSI border traffic
31M connections; 18M outbound Internal DHCP, NAT logs 300 clients behind NAT
Interim Results:
Cookie:_tmpi=MjAxNDAxMjY_MzpDQUVTRUtyY2xuSDd5SD
VzRS1LaDB4eng2S3c6MzA;_tmid=-3256379668746322853”
GET
/pixel/2189/?sync=103&che=[cachebuster]&uuid=2492377121
373197670 HTTP/1.1
{"id":"356489051444763","type":"IMEI_NUMBER”}
Skype, Dropbox URLs; Symantec User-Agent
Game plan:
- Complete ICSI analysis
- Scale up to LBNL analysis (ext./int.)