Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

25
NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5 Mobile Threat Detection using On-Device Machine Learning Engine Mark Szewczul, CISSP IoT Security Architect Zimperium, Inc. 11/10/2017

Transcript of Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

Page 1: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Mobile Threat Detection usingOn-Device Machine Learning Engine

Mark Szewczul, CISSP

IoT Security Architect

Zimperium, Inc.

11/10/2017

NTXISSA.org
NTXISSA.org
NTXISSA.org
NTXISSA.org
Page 2: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Rhetorical Questions

• How many of you carry a Smartphone or a Tablet?

• How many have access to corporate information?

NTXISSA.org
NTXISSA.org
Page 3: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

• How many believe that your mobile is completely safe?

• How many of you would know if it was not?

Not-so-Rhetorical Questions

NTXISSA.org
NTXISSA.org
Page 4: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Mobile Is the New PC

NTXISSA.org
NTXISSA.org
Page 5: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Mobile Is the New PC

Source: “Mobile Advertising Forecast, 2016”, Zenith

Global Internet Consumption: Desktop vs MobileMinutes per day

2014 ‘16 2018

26.90

40

60

80

100

112.9

Mobile Internet

Desktop Internet

NTXISSA.org
NTXISSA.org
Page 6: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Mobile Compromise → → Risk to Enterprise

Emails Pictures Company

Confidential

files

Technology Contacts Calendar

Credentials

Assets Access

Email

Servers

Document

Repositories

Enterprise

Apps

Corporate

Servers

Further

compromise

Avoid the ripple effect...

NTXISSA.org
NTXISSA.org
Page 7: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

The Threat Is Real.

And It Is Everywhere

NTXISSA.org
NTXISSA.org
Page 8: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Malicious App

NTXISSA.org
NTXISSA.org
Page 9: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Install app from

third party storePermissions abuse Exploit executed Leak data

Used as pivot to

internal network

Ap

p

Ap

p

Malicious AppM o b i l e T h r e a t s A r e R e a l …

Ap

p

ALLOW

NTXISSA.org
NTXISSA.org
Page 10: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

iOS Profile

NTXISSA.org
NTXISSA.org
Page 11: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Consultant that goes in

and out of client networks

Doesn’t like client network

restrictions on-site

Installs “free” VPN profile

to bypass restrictions

Installs SSL cert to encrypt

/ decrypt device traffic

All company data is

decrypted to the hacker

client3_wifi

CONNECTED!

client1_wifi

client2_wifi

client3_wifi

client4_wifi SSL

CERT

iOS ProfileM o b i l e T h r e a t s A r e R e a l …

NTXISSA.org
NTXISSA.org
Page 12: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Wi-Fi MITM

NTXISSA.org
NTXISSA.org
Page 13: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

At a coffee shop

near an officeWi-Fi MITM Redirect to phishing page Data exploit

Access to cloud

source data

coffee_wifi

CONNECTED!

LOGIN

Wi-Fi MITMM o b i l e T h r e a t s A r e R e a l …

NTXISSA.org
NTXISSA.org
Page 14: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Silent Device Exploit

NTXISSA.org
NTXISSA.org
Page 15: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Phone on table

while you sleep

MMS sent to

dormant device

MMS

processed

Device

compromised

Persistence for

targeted attack

New

Message

Received!

Silent Device Exploit (e.g., Stagefright)M o b i l e T h r e a t s A r e R e a l …

Exploit

executed

Privilege

elevation

NTXISSA.org
NTXISSA.org
Page 16: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

The Threat is Real… & Pervasive

Network Attacks:

10% of Devices

Source: “1Q/2017 Global Threat Intelligence”, Zimperium

Malicious Apps:

11% of Devices

Dangerously Configured

Devices:

12% of Devices

Vulnerable (e.g., Out of Date OS,

Leaky App…):

87% of Devices

NTXISSA.org
NTXISSA.org
Page 17: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

The Threat Is Real.

What does a CISO do?

NTXISSA.org
NTXISSA.org
Page 18: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Two Areas of Consideration

1. Manage Risk with Conditional Entitlement

2. Active Threat Defense

NTXISSA.org
NTXISSA.org
Page 19: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

z9™ Detection Engine uses machine learning to provide

real-time, on-device protection against both

known & unknown threats

Network

Attacks

Application

AttacksDevice

Attacks

On-Device ML DETECTION ENGINE

NTXISSA.org
NTXISSA.org
Page 20: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

STAGES of Cyber Kill Chain

• Stage 1 – Reconnaissance

• Stage 2 – Network Manipulation

• Stage 3 – Delivery

• Stage 4 – Command & Control

• Stage 5 – EOP

• Stage 6 – Data Exfiltration

NTXISSA.org
NTXISSA.org
Page 21: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Compromised

Data Exfiltration

Privileges Elevation

OS / Kernel Exploit

EOP

Get Reverse Shell

Exploit

Command & Control

Social Engineering

Delivery

Malware

Intercept Traffic

MITM

Network Manipulation

Scan (IPv4/IPv6)

Target discovery

Coffee

Shop

Connect

to Wi-Fi

Found

Infection

Run Cleaning

Tool

Check

Emails

2 3 4 5 6

Download

Attachments

Recon 1

NTXISSA.org
NTXISSA.org
Page 22: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Let’s Attack !

NTXISSA.org
NTXISSA.org
Page 23: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Q & A

NTXISSA.org
NTXISSA.org
Page 24: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

24

Thank you !

NTXISSA.org
NTXISSA.org
Page 25: Ntxissacsc5 purple 4-threat detection using machine learning-markszewczul

NTXISSA Cyber Security Conference – November 10-11, 2017 @NTXISSA #NTXISSACSC5

Mark Szewczul, CISSP, is an IoT Security Architect at Zimperium with over 20 years of experience from Semiconductor, Telecom/Datacom, and Computing sectors. He currently is Director of Marketing at the Dallas/Fort Worth Cisco Users Group, has led the IEEE-Electromagnetic Compatibility Society and co-founded the IEEE-Consumer Electronics Society, both in Dallas. Along the journey, he has mastered design, testing, integration and deployment of numerous systems. His passion entails implementing best practices of security and privacy principles at all 7-layers and beyond. He has his MS in Information Science and Systems from Texas A&M University and 3 patents.

[email protected]@vslick1

469-996-7942

About me

NTXISSA.org
NTXISSA.org

Purple cow employee benefits 2011 (why purple cow)

Purple cow employee benefits 2011 (why purple cow)

Purple passion

Purple passion

Ntxissacsc5 yellow 1-beginnerslinux bill-petersen

Ntxissacsc5 yellow 1-beginnerslinux bill-petersen

Deep Purple - Best of Deep Purple

Deep Purple - Best of Deep Purple

Ntxissacsc5 gold 4 beyond detection and prevension remediation

Ntxissacsc5 gold 4 beyond detection and prevension remediation

Purple to Lavender - OC Minx Cosmetics · Purple to Lavender City Nights Deep Purple Concord Grape Purple Haze Majestic Rock Royalty Passionate Purple Grape Fizz Night Caller Debutant

Purple to Lavender - OC Minx Cosmetics · Purple to Lavender City Nights Deep Purple Concord Grape Purple Haze Majestic Rock Royalty Passionate Purple Grape Fizz Night Caller Debutant

Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz

Ntxissacsc5 gold 1--mimecast email resiliency- erez-haimowicz

Code Purple – Bomb Threat: Preparedness and Response …...3. WRITTEN BOMB THREAT • If a bomb threat is received in writing, it should be kept, including any envelope or container

Code Purple – Bomb Threat: Preparedness and Response …...3. WRITTEN BOMB THREAT • If a bomb threat is received in writing, it should be kept, including any envelope or container

©Purple Cubed 2013 . ©Purple Cubed 2013 ©Purple Cubed 2013 Inspired, happy, more profitable.

©Purple Cubed 2013 . ©Purple Cubed 2013 ©Purple Cubed 2013 Inspired, happy, more profitable.

Purple seven-ntxissacsc5 walcutt

Purple seven-ntxissacsc5 walcutt

Appendix C: Color Names Defined by SAS/GRAPH · DEP deep purple #3E1745 VDEP very deep purple #170819 LIP light purple #9B58A6 VLIP very light purple #CB74D9 MOP moderate purple ...

Appendix C: Color Names Defined by SAS/GRAPH · DEP deep purple #3E1745 VDEP very deep purple #170819 LIP light purple #9B58A6 VLIP very light purple #CB74D9 MOP moderate purple ...

Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes

Ntxissacsc5 red 6-diy-pentest-lab dustin-dykes

WDT HAZARDOUS WEATHER OUTLOOK 10/03/2017€¦ · Threat Legend Orange –Strong to Severe Thunderstorms Possible Red –Significant Severe Thunderstorm Threat Purple –Severe Weather

WDT HAZARDOUS WEATHER OUTLOOK 10/03/2017€¦ · Threat Legend Orange –Strong to Severe Thunderstorms Possible Red –Significant Severe Thunderstorm Threat Purple –Severe Weather

Ntxissacsc5 purple 5-insider threat-_andy_thompson

Ntxissacsc5 purple 5-insider threat-_andy_thompson

WDT HAZARDOUS WEATHER OUTLOOK 9/4/2017€¦ · Threat Legend Orange –Strong to Severe Thunderstorms Possible Red –Significant Severe Thunderstorm Threat Purple –Severe Weather

WDT HAZARDOUS WEATHER OUTLOOK 9/4/2017€¦ · Threat Legend Orange –Strong to Severe Thunderstorms Possible Red –Significant Severe Thunderstorm Threat Purple –Severe Weather

CENTRAL GOLDFIELDS SHIRE COUNCILintranet.centralgoldfields.vic.gov.au/CA2573450006E09E/Lookup... · Code Purple - Bomb Threat/Suspect Package 10 Bomb Threat Check List 11 Code Yellow

CENTRAL GOLDFIELDS SHIRE COUNCILintranet.centralgoldfields.vic.gov.au/CA2573450006E09E/Lookup... · Code Purple - Bomb Threat/Suspect Package 10 Bomb Threat Check List 11 Code Yellow

Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins

Ntxissacsc5 blue 7-zerotrust more effective approach to security-ed higgins

Purple & Xirrus Solution brief · Purple & Xirrus Solution brief Purple Meadowbank House Tweedale Way, Oldham OL9 8EH. UK.

Purple & Xirrus Solution brief · Purple & Xirrus Solution brief Purple Meadowbank House Tweedale Way, Oldham OL9 8EH. UK.

Dark Purple Bright Purple Light Purple Gray

Dark Purple Bright Purple Light Purple Gray

Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller

Ntxissacsc5 blue 4-the-attack_life_cycle_erich_mueller