paolo passeri - a multi layered approach to threat intelligence

MILAN 20/21.11.2015

A Multi Layered Approach to ThreatIntelligence

Paolo Passeri

MILAN 20/21.11.2015 - Paolo Passeri

Powered by OpenGraphiti

Malware is Increasingly Sophisticated but…


• Cybercrime is lucrative and is offered as a service• Barrier to entry opportunistic attacks is low• State sponsored attacks and organized crime are well founded• New malware samples emerge at unprecedented pace• Malware is more and more sophisticated, even for opportunistic attacks

…The Entry Barrier is low

20001990 1995 2005 2010 2015 2020

Viruses1990–2000

Worms2000–2005

Spyware and Rootkits2005–Today

APTs Crime as a ServiceToday +

Hacking Becomesan Industry

Sophisticated Attacks, Complex Landscape

Phishing, Low Sophistication

Addressing the Full Attack Continuum: Before, During, and After an Attack: http://www.cisco.com/web/learning/le21/le34/assets/events/i/gar tner_BDA_W hitepaper.pdf


An Increased Attack Surface

ADOPTION OF CLOUD SERVICES

Users are increasinglyadopting cloud basedproductivity tools bypassingcentralized controls andaccessing the services fromany device, anywhere.By 2018, 25% of corporatedata tra ffic will bypass theperimeter security,connecting directly mobiledevices to the cloud.Since this tra ffic bypassesthe perimeter, by 2016 30%of targeted attacks willspecifically target remoteoffices and entry points.

SHIFTING PARADIGM

New attack vectors havechanged the securitymodel: attacker do notpenetrate the defenseddirectly but lure the victimsto be compromised.


Observable Elements During Attack Lifecycle

Attackers’ PayloadsExploit Kit or Custom Code

Known or Zero-Day VulnerabilityHardcode or DGA Callbacks

Communication Port/Protocols

Attackers ThemselvesTools, Tactics & ProceduresIndustries & Data TargetedMotivations & AffiliationsLanguages & Geo-Regions

Attackers’ InfrastructureSetup Networks (& ASNs)

Setup Servers (& Nameservers)Allocate IP Address SpaceRegister (& Flux) Domains


RECON STAGE CALLBACK PERSISTLAUNCH EXPLOIT INSTALL

PAYLOADExploit Kit or Custom Code

Known or Zero-Day VulnerabilityHardcode or DGA Callbacks

Communication Port/Protocols

ATTACKERTools, Tactics & ProceduresIndustries & Data TargetedMotivations & Affiliations

Languages & Geo-Regions

INFRASTRUCTURESetup Networks (& ASNs)

Setup Servers (& Nameservers)Allocate IP Address SpaceRegister (& Flux) Domains

OBSERVABLE ELEMENTS

Hours to Months Seconds Months

Opportunistic

Targeted

TARGET BREACHCOMPROMISE

PIVOT

The Kill Chain (a possible model)


MONTHSHOURSMINUTES

Breach occurs In 60% of cases attackers are able to compromise an organization within minutes.

The average time to discover a breach caused by an external attacker is 256 days.

START

Source: Verizon Data Breach Report 2015, Ponemon Data Brech Cost 2015

Impact of a Breach

75% of attacks observed spread from one victim to another within 24 hours, and over 40% hit the second organization one hour later


Anatomy of a Drive-By/Watering-Hole Attack

STAGEAttackers identify a legitimate vulnerable site and inject a malicious iFrame.

The unaware victim visits the compromised page.

LAUNCH

EXPLOIT The iFrame redirects the user to an Exploit Kit landing page. The EK exploits a client vulnerability to inject the payload.

INSTALL

The Endpoint is compromised and under direct control of the attacker

Drive-By attacks are used for opportunistic campaigns, watering-hole attacks for targeted campaigns.In both cases the attacker can deploy sophisticated malware.

CALLBACK


Anatomy of a Spear Phishing AttackAttackers identify the victim’s habits and weaknesses (technological and behavioural).

The malicious message is sent, it exploits software and human vulnerabilities.

The Human Vulnerability leads the user to open the attachment. The software vulnerability executes arbitrary code once the attachment is opened.The Endpoint is compromised and under direct control of the attacker

Subject: Your Pay rise0-day

RECON

STAGE

LAUNCH

EXPLOIT

INSTALL

CALLBACK

PERSIST


RECON STAGE

TARGET

CALLBACK PERSIST

BREACH

LAUNCH EXPLOIT INSTALL

COMPROMISE

PIVOT

InfrastructureDomain Classification

NetworkFW/IPS, Web/Email Gateways, 1st Gen Network Sandboxes

EndpointAV, 1st Gen Sandbox

InfrastructureDomain Classification, IP/Domain Reputation

InfrastructureDomain Classification. IP/Domain Reputation

NetworkFW/IPS, Web Gateways, IP/Domain Reputation

Countermeasures

Countermeasures

EndpointAV, 1st Gen Sandbox

PoliciesUser Education


RECON STAGE

TARGET

CALLBACK PERSIST

BREACH

LAUNCH EXPLOIT INSTALL

COMPROMISE

PIVOT

InfrastructureObfuscation, Domain Shadowing

NetworkEncryption, Obfuscation Steganography

EndpointPacking, Polymorphism (AV Evasion), Sandbox Detection

InfrastructureMalvertising, Obfuscation, Domain Shadowing

InfrastructureHardcoded IP,DGA, Fast Flux, P2P, TOR callbacks.

And the multiple Ways to Evade Them

Evasion

EndpointPolymorphism (AV Evasion), Sandbox Detection

CALLBACK


Evading Network Detection


Evading Detection: Network and ReputationAttackers can use multiple ways to avoiddetection at the network level

During the Install Phase:• Encrypted Payload on legitimate

traffic/ports.• Use of DDoS attacks to cloak subtle

operations.• Malvertising spreading malicious content

on legitimate sites via Ad networks (hard todetect and categorise).

During the callback phase:• Use encrypted protocols, P2P, TOR

callbacks• Callbacks, hidden in Social Network,

legitimate forum pages…• DGA, Fast-Flux, Domain shadowing


Evading Detection: Evolution of Callbacks & Domain Shadowing

HARD-CODED IP

@23.4.24.1

“FAST FLUX”

@23.4.24.1

bad.com?

@34.4.2.110

@[email protected]

@129.3.6.3

DOMAIN GENERATION ALGORITHM

rnd.com?

@34.4.2.110

rnd.biz?

@8.2.130.3

@12.3.2.1

@67.44.21.1

DOMAIN SHADOWING

@129.3.6.3

@23.4.24.1

hjacklegitdomain.com

decg

dojamg

rnd.net?


Evading Categorization: Exploit Kit Landing Pages

• Attackers try to obfuscate EK landingpages to avoid categorization from AVor other security solutions.

• Latest techniques include addingpassages of classic text (the examplereports several passages from “Senseand Sensibility)

• The use of text from morecontemporary works such asmagazines and blogs is anothereffective strategy. Source: Cisco Security Research


Fighting AV Detection


• Building AV signatures is a time consumingand error-prone process.

• Cybercrime-as-a-service models make the entry barrier low.

• On average, 390,000 new malicious programs are detected every day

• 95 % of malware types show up for less than a month and 4 of 5 don’t last beyond a week.

• 70–90% of malware samples are unique to an organization.

• Keeping up it’s simply impossible, as well as useless.

source: http://avtest.org, Verizon 2015 DBIR Report

Evading Detection: Endpoint/Network AV


Do you Want to Play in My Sandbox?


• Sandboxes have been conceived toovercome the limitation of signature-based analysis.

• Malware authors are increasing theiruse of sandbox detectiontechniques.

• Evasion techniques are becomingmore and more sophisticated:

• sleeping,• stalling loops,• hypervisor checks, registry checks,

Memory and vCores enumeration• Human activity checks,• API calls executed directly in

assembler. Example of several evasion techniques from http://www.malwarestats.org

Evading Detection: Sandboxes

Sophistication


Nothing to see (and to detect) here… Please disperse…


Source: http://blogs.forrester.com/rick_holland/14-05-20-introducing_forresters_targeted_attack_hierarchy_of_needs

Targeted Attack Hierarchy of Needs


Building a Solid Foundation

• Trying to fight advanced threatsignoring the fundamentals is not aneffective approach.

• Focus on identifying a realisticsecurity strategy, recruit the rightstaff and implement the basiccountermeasures.


An Integrated Portfolio that Enables Orchestration

This concept applies to Processes andtechnologies.

• Create a process framework thatremoves “silos” and allowscommunication between internalentities.

• When evaluating technology, prioritizevendors that offer multiple pillars aswell as those that have third-‐partyintegrations that makeoperationalizing the solution effective.


BEFOREDiscoverEnforce Harden

AFTERScope

ContainRemediate

Detect Block

Defend

DURING

VISIBILITY AND CONTEXT

BEFOREComprehensive awareness and visibility in order to predictthreats, educate users, implement policies and controls.

BEFORE

DURINGIdentify the threat context. Collect and correlate data from multiple points. Evolve into a continual analysis process.

DURING

AFTERApply a retrospective security model: continuously gather and analyze data to create security intelligence.

AFTER

Gain Visibility Through the Attack Continuum

Open | Pervasive | Integrated | Continuous

http://www.cisco.com/web/learning/le21/le34/assets/events/i/gartner_BDA_Whitepaper.pdf


With an Adaptive Security Architecture

Source: Gartner: Designing an Adaptive Security Architecture for Protection From Advanced Attacks


Enforce Cloud Based Threat Intelligence to predict attacks before they happen.• DNS/WHOIS/Email/ASN allows to pivot through the

attacker infrastructurePREVENT

Enforce the first level of Security at the DNS level: consider the DNS as the gate to the Internet

Build a framework of solutions that interoperate and allow to exchange in real time threat models and IoCs among the different layers:• NGFW/NGIPS• Network based Sandboxes• Email Security/Web Security Gateways

Enforce Cloud Based Threat Intelligence to perform retrospective Analysis

RECON

STAGE

LAUNCH

EXPLOIT

INSTALL

CALLBACK

PERSIST

Cloud Based Threat Intelligence

DETECT

RESPOND

Open | Pervasive | Integrated | Continuous

PREDICT

Deploy a Multi Layer Approach


Example: The Diamond Model of Intrusion Analysis Adversary

Victim

Infrastructure CapabilityIP AddressesDomain NamesASNEmail Addresses

MalwareExploitsHacker Tools

PersonasNetwork AssetsEmail Addresses

Persona: email addresses, handles, phone #’sNetwork Assets

Source: The Diamond Model of Intrusion Analysis: http://www.dtic.mil/dtic/ tr/full text/ u2/a586960.pdf

Meta Features• Timestamp• Phase• Result• Direction• Methodology• Resources

An adversary deploys a capability over someinfrastructure against a victim. These activities arecalled events. Analysts or machines populate themodel’s vertices as events are discovered anddetected. The vertices are linked with edgeshighlighting the natural relationship between thefeatures.


Adversary

Victim

Infrastructure Capability

1The victim (organization)discovers a threat

2Threat contains C2 domain

3C2 domain resolves to C2 IP

4Logs reveal further Victimscontacting C2 IP

5IP Address ownershipreveals adversary

Source: The Diamond Model of Intrusion Analysis: http://www.dtic.mil/dtic/ tr/full text/ u2/a586960.pdf

By pivoting across edges and withinvertices, analysts expose more informationabout adversary operations and discovernew capabilities, infrastructure, andvictims.

Applying The Diamond Model


Conclusions

• Malware is more and moresophisticated and the entry barrier islow from both a technical andeconomical standpoint.

• The growing adoption of cloudservices and a new attack paradigm(in->out) increase the attack surface.

• Evasion techniques are increasinglycommon and are becoming moreand more aggressive.

• A multi layer approach to threatintelligence allows to pivot throughthe attackers’ infrastructure, makingthe target able to: predict, detect andperform retrospective analysis.


Leave your feedback on Joind.in!https://m.joind.in/event/codemotion-milan-2015

paolo passeri - a multi layered approach to threat intelligence

Technology