Reacting to Advanced, Unknown Attacks in Real-Time with Lastline

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline

Engin Kirda // [email protected]., Prof., Co-Founder & Chief Architect, Lastlinewww.lastline.com

Me

• Professor at Northeastern University, Boston– started malware research in about 2004– Helped build and release popular malware analysis and

detection systems (Anubis, Exposure, …)

• Co-founder of Lastline, Inc.– Lastline offers protection against zero-day threats and

advanced malware– Commercialization of many years of advanced research

Copyright ©2014 Lastline, Inc. All rights reserved. 2

Overview of This Talk

• Introduction to the Problem• Evasive Malware (Backoff examples)• Automatically Mitigating Breaches• Conclusion


Targeted Attacksand Cyberwar

!!!

Cyberattack (R)Evolution

Time

$$ Damage

Millions

Hundreds of Thousands

Thousands

Hundreds

Billions

Cybercrime

$$$Cybervandalism

#@!


Online Crime is a Business• Klikparty, 2007


Malware is a Problem of Scale …


… and Sophistication

Simple Threats

Opp

ortu

nist

ic A

ttac

ks

APT Solutions

AntivirusSolutions

Current solutions fail to protect organizations from sophisticated, targeted attacks.

Security Gap

Targ

eted

Att

acks

Packing

Sophisticated Threats

Plain Virus

Poly-morphic

C&C

Fluxing

PersistentThreats

EvasiveThreats


Copyright ©2014 Lastline, Inc. All rights reserved.

Lastline Labs AV Vendor ReviewAntivirus systems take months to catch up to highly evasive threats.

9

You’ve Probably Read This:Recent Payment Breaches

• The last year has seen a dramatic escalation in the number of breached PoS systems

• Many of these PoS payloads, like Backoff, evaded installed defenses and alarms

• In few cases an early alarm was received, but it was ignored since indistinguishable from the background noise.


What is Backoff?

• Malware used in numerous breaches in the last year

• Secret Service currently estimates 1,000+ U.S. businesses affected

• Targeted to PoS systems

• Evades analysis

11Copyright ©2014 Lastline, Inc. All rights reserved.

What is Backoff?

[1 Slide Summary from Kyle]• Product screenshot?

• Mention evasive behaviors exhibited


What is Backoff?

• Timing evasion (an anti-VM technique)

• Utilizes code obfuscation

• Also uses rare and poorly emulated instructions to defeat simple emulators

• Attempts to encrypt parts of the command and control traffic



How are the attackers deploying it?

• Scan for Internet facing Remote Desktop applications

• Brute force login credentials

• Often successfully find administrative credentials

• Use admin credentials to deploy Backoff to remote PoS systems


Malware authors are not stupid• Clearly, they got the news that sandboxes are all the

rage now• since the code is executed, malware authors have

options

Evasion defined• Develop code that exhibits no malicious behavior in a

traditional sandbox, but still infects the intended target• Can be achieved in a variety of ways…

Understanding Evasive Malware

• Malware can detect underlying runtime environment– differences between virtualized and bare metal environment– checks based on system (CPU) features– artifacts in the operating system

• Malware can detect signs of specific analysis environments– checks based on operating system artifacts (files, processes, …)

• Malware can avoid being analyzed– tricks in making code run that analysis system does not see– wait until someone clicks something– time out analysis before any interesting behaviors are revealed– simple sleeps, but more sophisticated implementations possible


Understanding Evasive Malware


3 Ways to Build a SandboxNot all sandbox solutions can detect highly evasive malware.


Virtualized Sandboxing vs. Full System EmulationEven APT Solutions with virtualized sandboxing fail to detect highly evasive malware.

Sensor Analyzes network, email, web, and mobile traffic. Detects callbacks and extracts objects for advanced malware analysis and stops cyber threats.

Manager Correlates low-level threat events into high-level network incident views of network and object activity.

Engine Analyzes objects with a next-generation sandbox using full-system emulation. This approach allows for greater visibility into advanced malware.

Threat Intel Offers a rich knowledge base of malicious network sources and objects containing advanced cyber threats built through machine learning, web crawling, emulated browsers, automated and dynamic techniques.

API Provides ability to submit objects for advanced malware analysis from any third-party sensor or system, queries the Threat Intelligence and displays pertinent threat information.

software

software

software

subscription

software

Lastline Platform Components


Suitable for those environments with tight requirements in terms of privacy and compliance. Customers may decide to share anonymous information with the Lastline Labs


Lastline Enterprise On-Premise

20

Suitable for those customers who want to minimize the operational effort

Lastline Enterprise Hosted


Technology Plays a Crucial Role but…• Deploying an advanced solution to detect and mitigate a

breach is a crucial input for the breach detection process• However, to fully leverage the detection capabilities, the

platform must be easily integrated into an organization from both a technology and a process perspective


It’s Part of a Multi-Phase Process


• Who, when, where, how?

• Avoid the “Target Syndrome”;

• Build a process that is incident-based rather then

event-based;

• Deploy a Scalable Architecture;

• Provide a comprehensive coverage in terms of attack vectors; Reduce the TCO and boost the ROI;

• Quickly and Seamlessly adapt to changes;

• Provide multi-dimensional actionable threat intelligence;

• Feed Automated Systems (SIEM, Trouble Ticketing);

• Identify reliable IOCs

• Use the correlated information to quickly enforce countermeasures

23

Correlate the Information


• Lastline Enterprise Platform provides an incident-centric view, rather then an event-centric view

• Single events are post-processed and summarized into high-level incidents

28

Correlate the Information


Stage 1: Connection to the Drive-By Site

Stage 2: Malicious Binary Download

Stage 3: Malicious C&C connections

Everything correlated into a single incident

Security Analysts look at a single incident rather than

4 separated events

Result of the correlation process:Drive-by + Malicious Binary Download =------------------------------------Endpoint successfully compromised!

29

Share the Actionable Threat Intelligence


• The post-processed information can be exported to external devices

• For further integration, Lastline API can be easily integrated with existing security infrastructures

• SWGs (Secure Web Gateways), IPSs (Intrusion Protection System), NGFWs (Next-Generation Firewalls) and SIEM (Security Information Event Management) installations can all interoperate seamlessly with Lastline Enterprise

30


• The information provided by the Lastline Enterprise reports can be used at different levels Operational level: extract the information to contain and mitigate the breach Analytical level: perform post-mortem forensic analysis

Providing Multi-Dimensional Information…

31


Security Analysts can extract the Process Dumps and analyse them on Ida PRO

It is also possible to derive reliable IoC.

Detailed Information for Security Analysts

32

User n

User 1

C&C Site

Exploit Site

1

2

3

5

Feedback To Global Threat Intelligence

User 2


4

Automatically Mitigating the Breach

33

• The sensor detects an advanced threat for the organization• The artifact is analyzed by the Lastline Engine leveraging full

system emulation• The manager triggers an alert using post processing and

correlation to ensure it is displayed with the right priority;• The information can be automatically transmitted in real time to

the third parties products part of the Lastline Defense Program, or virtually to any other technology by means of the Lastline API

• Other occurrences of the same threats are immediately detected and blocked


1

2

3

4

5

Mitigating the Breach

34

For more information visit www.lastline.comor contact us at [email protected].

Thank You!

http://www.lastline.com/

mailto:[email protected]

Reacting to Advanced, Unknown Attacks in Real-Time with Lastline

Software

Transcript of Reacting to Advanced, Unknown Attacks in Real-Time with Lastline