Extracting the Malware Signal from Internet Noise
- 1. Extracting the Malware Signal from Internet Noise Andrew Morris, Researcher 1
- 2. # whoami • Andrew Morris • Background in offense • R&D @ Endgame 2
- 3. Tactical Insights from Global Trends • My network is being scanned/attacked – Am I being targeted specifically? – Are other people seeing this as well? • A vulnerability has been disclosed – Is anyone probing for this vulnerability? – Is anyone exploiting this vulnerability? 3
- 4. 4 Faraday A Global Network of Sensors Untargeted Malware Geographically & Logically Dispersed Omnidirectional Internet Traffic for Collection & Analysis If something is *not* in Faraday, it is likely targeted
- 7. Four Kinds of Traffic on Your Network The difference between these can be hundreds of thousands of $$ in incident response Worm, Mass Exploit Campaign Regular Web User Advanced Persistent Threat Search Engines (e.g. Google) MaliciousBenign Omnidirectional Targeted 7
- 8. My Network is Being Attacked Omnidirectional Malicious $ faraday --ip 123.123.123.123 | wc -l 42013 Targeted Malicious $ faraday --ip 1.2.3.4| wc -l 0 8
- 9. A Vulnerability Has Been Disclosed • Is anyone probing for this vulnerability? • Is anyone massively exploiting this vulnerability? 9
- 10. Cisco CVE-2016-1287 Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability • Critical • Disclosed Feb 10, 2016 • Affects all Cisco ASAs 0 500 1000 1500 2000 2500 3000 Faraday Port 500 Faraday Port 500 10
- 11. Cisco CVE-2016-1287 The spike and diversity of IP addresses over time implies: • People are not just probing, but actively targeting it • Where they are coming from • Who may have known about the vulnerability prior to public disclosure • It is not (yet) being massively exploited 11
- 12. Redis CVE-2015-4335 • Remote code execution vulnerability in Redis – Built and deployed a custom Redis sensor less than 24 hours after the vulnerability was published – Observed attacker behavior – Recorded attacker IP addresses 12
- 13. CVE-????-???? • Traffic observed targeted unknown devices • No known vulnerabilities on services running on those ports 13
- 14. Fun Stuff • Data Science Early Warning Applications • Dangling DNS • Bandwidth budget calculation • Worm tracking • Search engine spoofing • Reflected DDOS attacks • Provider threat model 14
- 15. Really Fun Stuff • Integration into Endgame cyber operations platform – Visibility into novel attacker techniques – Ability to collect new malware samples – Input into reputation services – Situational awareness
- 16. Conclusion • Whether an attack is targeted or not • Derive Internet-wide vulnerability exploitation attempts • Collect omnidirectionally targeted malware samples 16
- 17. 17 Questions?
Editor's Notes
- #4: Changed title - was ‘Problems’
- #5: See slide 19 for previous version, here’s the text for you to either speak to or add back in case I emphasized the wrong points: Network of sensors Geographically and locally diverse Collect, catalogue, and analyze omnidirectional Internet traffic If something is *not* in Faraday, it is targeted By collecting all omnidirectional traffic, we can reduce it from regular traffic Distinguish all “background noise” Collect untargeted malware
- #6: I stole the check marks from Phil’s – I kind of like that it adds color, and reinforces the positive, but can easily be convinced they aren’t necessary See slide 22, 23 for previous versions
- #7: See hidden slide 20 for original version
- #8: See hidden slide 21 for previous version
- #9: Got rid of scanned in the header since it only covers malicious in the body; see slide 24 for original
- #10: Combined this with a build out to lead into the example
- #11: See slide 25 for original – added graph and reorganized Yellow circle only appears on a build, you can delete, but may be useful visually to show how small the numbers were prior, not that it was non-existent Should the title of the graph have ‘scans’ or something like that after Port 500? Omitted the following text from the next slide “Huge spike in relevant traffic when this vulnerability was disclosed” as you can speak to it here with the chart, and it segues well to next slide.
- #12: When I was working on this earlier today, Bobby came by and noted this would be a good place to reiterate probing vs exploited with the language I gave it. It was previously: Faraday told us: Yes, people are actively probing for this Where they were coming from Who may have known about the vulnerability prior to public disclosure Is it not (yet) being massively exploited
- #15: Added early warning with data science
- #17: Removed the ‘or not’s, since that is implied
- #28: I stole the check marks from Phil’s – I kind of like that it adds color, and reinforces the positive, but can easily be convinced they aren’t necessary See slide 22, 23 for previous versions