extracting the malware signal from internet noise
TRANSCRIPT
Extracting the Malware Signal from Internet Noise
Andrew Morris, Researcher
1
# whoami• Andrew Morris
• Background in offense
• R&D @ Endgame
2
Tactical Insights from Global Trends• My network is being scanned/attacked
– Am I being targeted specifically?– Are other people seeing this as well?
• A vulnerability has been disclosed– Is anyone probing for this vulnerability?– Is anyone exploiting this vulnerability?
3
4
FaradayA Global Network of Sensors
Untargeted Malware
Geographically & Logically Dispersed
Omnidirectional Internet Traffic for Collection &
Analysis
If something is *not* in Faraday, it is likely targeted
CapabilitiesIptables HTTPTelnetFTPSSHStrategic Packet CaptureCustom sensors
5
Faraday Architecture
6
Four Kinds of Traffic on Your Network
The difference between these can be hundreds of thousands of $$ in incident response
Worm, Mass Exploit
Campaign
Regular Web User
Advanced Persistent
Threat
Search Engines (e.g.
Google)
Mal
iciou
sBe
nign
Omnidirectional Targeted
7
My Network is Being AttackedOmnidirectional Malicious
$ faraday --ip 123.123.123.123 | wc -l
42013
Targeted Malicious
$ faraday --ip 1.2.3.4| wc -l
0
8
A Vulnerability Has Been Disclosed• Is anyone probing for this vulnerability?• Is anyone massively exploiting this
vulnerability?
9
Cisco CVE-2016-1287Cisco ASA Software IKEv1
and IKEv2 Buffer Overflow Vulnerability
• Critical
• Disclosed Feb 10, 2016 • Affects all Cisco ASAs 8-Fe
b-16
9-Feb-16
10-Feb-16
0500
10001500200025003000
Faraday Port 500
Faraday Port 500
10
Cisco CVE-2016-1287The spike and diversity of IP addresses over time implies:
• People are not just probing, but actively targeting it
• Where they are coming from
• Who may have known about the vulnerability prior to public disclosure
• It is not (yet) being massively exploited11
Redis CVE-2015-4335• Remote code execution vulnerability
in Redis– Built and deployed a custom Redis
sensor less than 24 hours after the vulnerability was published
– Observed attacker behavior– Recorded attacker IP addresses
12
CVE-????-????• Traffic observed targeted unknown
devices• No known vulnerabilities on services
running on those ports
13
Fun Stuff• Data Science Early Warning Applications• Dangling DNS• Bandwidth budget calculation• Worm tracking• Search engine spoofing• Reflected DDOS attacks• Provider threat model
14
Really Fun Stuff• Integration into Endgame cyber operations
platform– Visibility into novel attacker techniques– Ability to collect new malware samples– Input into reputation services– Situational awareness
Conclusion• Whether an attack is targeted or not • Derive Internet-wide vulnerability
exploitation attempts
• Collect omnidirectionally targeted malware samples
16
17
Questions?