paolo passeri - a multi layered approach to threat intelligence
TRANSCRIPT
MILAN 20/21.11.2015
A Multi Layered Approach to ThreatIntelligence
Paolo Passeri
MILAN 20/21.11.2015 - Paolo Passeri
Powered by OpenGraphiti
Malware is Increasingly Sophisticated but…
MILAN 20/21.11.2015 - Paolo Passeri
• Cybercrime is lucrative and is offered as a service• Barrier to entry opportunistic attacks is low• State sponsored attacks and organized crime are well founded• New malware samples emerge at unprecedented pace• Malware is more and more sophisticated, even for opportunistic attacks
…The Entry Barrier is low
20001990 1995 2005 2010 2015 2020
Viruses1990–2000
Worms2000–2005
Spyware and Rootkits2005–Today
APTs Crime as a ServiceToday +
Hacking Becomesan Industry
Sophisticated Attacks, Complex Landscape
Phishing, Low Sophistication
Addressing the Full Attack Continuum: Before, During, and After an Attack: http://www.cisco.com/web/learning/le21/le34/assets/events/i/gar tner_BDA_W hitepaper.pdf
MILAN 20/21.11.2015 - Paolo Passeri
An Increased Attack Surface
ADOPTION OF CLOUD SERVICES
Users are increasinglyadopting cloud basedproductivity tools bypassingcentralized controls andaccessing the services fromany device, anywhere.By 2018, 25% of corporatedata tra ffic will bypass theperimeter security,connecting directly mobiledevices to the cloud.Since this tra ffic bypassesthe perimeter, by 2016 30%of targeted attacks willspecifically target remoteoffices and entry points.
SHIFTING PARADIGM
New attack vectors havechanged the securitymodel: attacker do notpenetrate the defenseddirectly but lure the victimsto be compromised.
MILAN 20/21.11.2015 - Paolo Passeri
Observable Elements During Attack Lifecycle
Attackers’ PayloadsExploit Kit or Custom Code
Known or Zero-Day VulnerabilityHardcode or DGA Callbacks
Communication Port/Protocols
Attackers ThemselvesTools, Tactics & ProceduresIndustries & Data TargetedMotivations & AffiliationsLanguages & Geo-Regions
Attackers’ InfrastructureSetup Networks (& ASNs)
Setup Servers (& Nameservers)Allocate IP Address SpaceRegister (& Flux) Domains
MILAN 20/21.11.2015 - Paolo Passeri
RECON STAGE CALLBACK PERSISTLAUNCH EXPLOIT INSTALL
PAYLOADExploit Kit or Custom Code
Known or Zero-Day VulnerabilityHardcode or DGA Callbacks
Communication Port/Protocols
ATTACKERTools, Tactics & ProceduresIndustries & Data TargetedMotivations & Affiliations
Languages & Geo-Regions
INFRASTRUCTURESetup Networks (& ASNs)
Setup Servers (& Nameservers)Allocate IP Address SpaceRegister (& Flux) Domains
OBSERVABLE ELEMENTS
Hours to Months Seconds Months
Opportunistic
Targeted
TARGET BREACHCOMPROMISE
PIVOT
The Kill Chain (a possible model)
MILAN 20/21.11.2015 - Paolo Passeri
MONTHSHOURSMINUTES
Breach occurs In 60% of cases attackers are able to compromise an organization within minutes.
The average time to discover a breach caused by an external attacker is 256 days.
START
Source: Verizon Data Breach Report 2015, Ponemon Data Brech Cost 2015
Impact of a Breach
75% of attacks observed spread from one victim to another within 24 hours, and over 40% hit the second organization one hour later
MILAN 20/21.11.2015 - Paolo Passeri
Anatomy of a Drive-By/Watering-Hole Attack
STAGEAttackers identify a legitimate vulnerable site and inject a malicious iFrame.
The unaware victim visits the compromised page.
LAUNCH
EXPLOIT The iFrame redirects the user to an Exploit Kit landing page. The EK exploits a client vulnerability to inject the payload.
INSTALL
The Endpoint is compromised and under direct control of the attacker
Drive-By attacks are used for opportunistic campaigns, watering-hole attacks for targeted campaigns.In both cases the attacker can deploy sophisticated malware.
CALLBACK
MILAN 20/21.11.2015 - Paolo Passeri
Anatomy of a Spear Phishing AttackAttackers identify the victim’s habits and weaknesses (technological and behavioural).
The malicious message is sent, it exploits software and human vulnerabilities.
The Human Vulnerability leads the user to open the attachment. The software vulnerability executes arbitrary code once the attachment is opened.The Endpoint is compromised and under direct control of the attacker
Subject: Your Pay rise0-day
RECON
STAGE
LAUNCH
EXPLOIT
INSTALL
CALLBACK
PERSIST
MILAN 20/21.11.2015 - Paolo Passeri
RECON STAGE
TARGET
CALLBACK PERSIST
BREACH
LAUNCH EXPLOIT INSTALL
COMPROMISE
PIVOT
InfrastructureDomain Classification
NetworkFW/IPS, Web/Email Gateways, 1st Gen Network Sandboxes
EndpointAV, 1st Gen Sandbox
InfrastructureDomain Classification, IP/Domain Reputation
InfrastructureDomain Classification. IP/Domain Reputation
NetworkFW/IPS, Web Gateways, IP/Domain Reputation
Countermeasures
Countermeasures
EndpointAV, 1st Gen Sandbox
PoliciesUser Education
MILAN 20/21.11.2015 - Paolo Passeri
RECON STAGE
TARGET
CALLBACK PERSIST
BREACH
LAUNCH EXPLOIT INSTALL
COMPROMISE
PIVOT
InfrastructureObfuscation, Domain Shadowing
NetworkEncryption, Obfuscation Steganography
EndpointPacking, Polymorphism (AV Evasion), Sandbox Detection
InfrastructureMalvertising, Obfuscation, Domain Shadowing
InfrastructureHardcoded IP,DGA, Fast Flux, P2P, TOR callbacks.
And the multiple Ways to Evade Them
Evasion
EndpointPolymorphism (AV Evasion), Sandbox Detection
CALLBACK
MILAN 20/21.11.2015 - Paolo Passeri
Evading Network Detection
MILAN 20/21.11.2015 - Paolo Passeri
Evading Detection: Network and ReputationAttackers can use multiple ways to avoiddetection at the network level
During the Install Phase:• Encrypted Payload on legitimate
traffic/ports.• Use of DDoS attacks to cloak subtle
operations.• Malvertising spreading malicious content
on legitimate sites via Ad networks (hard todetect and categorise).
During the callback phase:• Use encrypted protocols, P2P, TOR
callbacks• Callbacks, hidden in Social Network,
legitimate forum pages…• DGA, Fast-Flux, Domain shadowing
MILAN 20/21.11.2015 - Paolo Passeri
Evading Detection: Evolution of Callbacks & Domain Shadowing
HARD-CODED IP
@23.4.24.1
“FAST FLUX”
@23.4.24.1
bad.com?
@34.4.2.110
@129.3.6.3
DOMAIN GENERATION ALGORITHM
rnd.com?
@34.4.2.110
rnd.biz?
@8.2.130.3
@12.3.2.1
@67.44.21.1
DOMAIN SHADOWING
@129.3.6.3
@23.4.24.1
hjacklegitdomain.com
decg
dojamg
rnd.net?
MILAN 20/21.11.2015 - Paolo Passeri
Evading Categorization: Exploit Kit Landing Pages
• Attackers try to obfuscate EK landingpages to avoid categorization from AVor other security solutions.
• Latest techniques include addingpassages of classic text (the examplereports several passages from “Senseand Sensibility)
• The use of text from morecontemporary works such asmagazines and blogs is anothereffective strategy. Source: Cisco Security Research
MILAN 20/21.11.2015 - Paolo Passeri
Fighting AV Detection
MILAN 20/21.11.2015 - Paolo Passeri
• Building AV signatures is a time consumingand error-prone process.
• Cybercrime-as-a-service models make the entry barrier low.
• On average, 390,000 new malicious programs are detected every day
• 95 % of malware types show up for less than a month and 4 of 5 don’t last beyond a week.
• 70–90% of malware samples are unique to an organization.
• Keeping up it’s simply impossible, as well as useless.
source: http://avtest.org, Verizon 2015 DBIR Report
Evading Detection: Endpoint/Network AV
MILAN 20/21.11.2015 - Paolo Passeri
Do you Want to Play in My Sandbox?
MILAN 20/21.11.2015 - Paolo Passeri
• Sandboxes have been conceived toovercome the limitation of signature-based analysis.
• Malware authors are increasing theiruse of sandbox detectiontechniques.
• Evasion techniques are becomingmore and more sophisticated:
• sleeping,• stalling loops,• hypervisor checks, registry checks,
Memory and vCores enumeration• Human activity checks,• API calls executed directly in
assembler. Example of several evasion techniques from http://www.malwarestats.org
Evading Detection: Sandboxes
Sophistication
MILAN 20/21.11.2015 - Paolo Passeri
Nothing to see (and to detect) here… Please disperse…
MILAN 20/21.11.2015 - Paolo Passeri
Source: http://blogs.forrester.com/rick_holland/14-05-20-introducing_forresters_targeted_attack_hierarchy_of_needs
Targeted Attack Hierarchy of Needs
MILAN 20/21.11.2015 - Paolo Passeri
Building a Solid Foundation
• Trying to fight advanced threatsignoring the fundamentals is not aneffective approach.
• Focus on identifying a realisticsecurity strategy, recruit the rightstaff and implement the basiccountermeasures.
MILAN 20/21.11.2015 - Paolo Passeri
An Integrated Portfolio that Enables Orchestration
This concept applies to Processes andtechnologies.
• Create a process framework thatremoves “silos” and allowscommunication between internalentities.
• When evaluating technology, prioritizevendors that offer multiple pillars aswell as those that have third-‐partyintegrations that makeoperationalizing the solution effective.
MILAN 20/21.11.2015 - Paolo Passeri
BEFOREDiscoverEnforce Harden
AFTERScope
ContainRemediate
Detect Block
Defend
DURING
VISIBILITY AND CONTEXT
BEFOREComprehensive awareness and visibility in order to predictthreats, educate users, implement policies and controls.
BEFORE
DURINGIdentify the threat context. Collect and correlate data from multiple points. Evolve into a continual analysis process.
DURING
AFTERApply a retrospective security model: continuously gather and analyze data to create security intelligence.
AFTER
Gain Visibility Through the Attack Continuum
Open | Pervasive | Integrated | Continuous
http://www.cisco.com/web/learning/le21/le34/assets/events/i/gartner_BDA_Whitepaper.pdf
MILAN 20/21.11.2015 - Paolo Passeri
With an Adaptive Security Architecture
Source: Gartner: Designing an Adaptive Security Architecture for Protection From Advanced Attacks
MILAN 20/21.11.2015 - Paolo Passeri
Enforce Cloud Based Threat Intelligence to predict attacks before they happen.• DNS/WHOIS/Email/ASN allows to pivot through the
attacker infrastructurePREVENT
Enforce the first level of Security at the DNS level: consider the DNS as the gate to the Internet
Build a framework of solutions that interoperate and allow to exchange in real time threat models and IoCs among the different layers:• NGFW/NGIPS• Network based Sandboxes• Email Security/Web Security Gateways
Enforce Cloud Based Threat Intelligence to perform retrospective Analysis
RECON
STAGE
LAUNCH
EXPLOIT
INSTALL
CALLBACK
PERSIST
Cloud Based Threat Intelligence
DETECT
RESPOND
Open | Pervasive | Integrated | Continuous
PREDICT
Deploy a Multi Layer Approach
MILAN 20/21.11.2015 - Paolo Passeri
Example: The Diamond Model of Intrusion Analysis Adversary
Victim
Infrastructure CapabilityIP AddressesDomain NamesASNEmail Addresses
MalwareExploitsHacker Tools
PersonasNetwork AssetsEmail Addresses
Persona: email addresses, handles, phone #’sNetwork Assets
Source: The Diamond Model of Intrusion Analysis: http://www.dtic.mil/dtic/ tr/full text/ u2/a586960.pdf
Meta Features• Timestamp• Phase• Result• Direction• Methodology• Resources
An adversary deploys a capability over someinfrastructure against a victim. These activities arecalled events. Analysts or machines populate themodel’s vertices as events are discovered anddetected. The vertices are linked with edgeshighlighting the natural relationship between thefeatures.
MILAN 20/21.11.2015 - Paolo Passeri
Adversary
Victim
Infrastructure Capability
1The victim (organization)discovers a threat
2Threat contains C2 domain
3C2 domain resolves to C2 IP
4Logs reveal further Victimscontacting C2 IP
5IP Address ownershipreveals adversary
Source: The Diamond Model of Intrusion Analysis: http://www.dtic.mil/dtic/ tr/full text/ u2/a586960.pdf
By pivoting across edges and withinvertices, analysts expose more informationabout adversary operations and discovernew capabilities, infrastructure, andvictims.
Applying The Diamond Model
MILAN 20/21.11.2015 - Paolo Passeri
Conclusions
• Malware is more and moresophisticated and the entry barrier islow from both a technical andeconomical standpoint.
• The growing adoption of cloudservices and a new attack paradigm(in->out) increase the attack surface.
• Evasion techniques are increasinglycommon and are becoming moreand more aggressive.
• A multi layer approach to threatintelligence allows to pivot throughthe attackers’ infrastructure, makingthe target able to: predict, detect andperform retrospective analysis.
MILAN 20/21.11.2015 - Paolo Passeri
Leave your feedback on Joind.in!https://m.joind.in/event/codemotion-milan-2015