Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
DamballaOverview
1. Transforming the Fight Against Cyber Threats
David Petty
May 30,2012
David.Petty@damballa.com
949-325-4625
When malware talks…Damballa listens
2. Why Damballa Advanced Threat Protection?
Mitigate corporate Risk
• Discover hidden threats that have gone undetected
• Terminate criminal communications and the risk of data theft
• Earliest possible discovery of emerging threats
Improve security team Efficiency
• Threat Conviction Engine effectively eliminates false-positives
Improve incident response Workflow
• Asset Risk Factor helps prioritize response and reduce cost of remediation
Secure ALL devices - traveling, mobile and BYOD….
• Analyze network behavior to protect any endpoint device regardless of
infection vector or phase of threat lifecycle
(PC, Mac, iPad, iPhone, Android, servers, embedded systems…)
2
3. ‘Protection’ has its limitations
Corporate
Production
Through the ‘front door’ (ingress)
Network
Win32
Network-based inbound ?
malware capture and Win64
analysis tools PCs How do you
Encrypted/armored, etc. detect a
breach?
Mac
Mac
Embedded systems/POS/other OS
Embedded/POS
USBs/DVDs/Cloud Storage
Traveling Employees/Contractors/BYOD
BYOD “Guest”
(Bring Your Own malware) Network
3
4. Shifting from Protection to Detection
Noisy Alerts
Corporate False Positives
Production (not correlated with
Network other evidence)
!
PCs
Black Lists
Reputation
Systems
f(x)
Static
Criminal
Communications
Known bad destinations
Mixed use destinations
New destinations (no history)
Mac Covert channels
Damballa® FirstAlert - The most advanced cyber threat intelligence
- Early detection of emerging threats
Embedded/POS - Machine-learning behavioral classifiers (heuristics)
Threat Conviction Engine - Automatically correlates behaviors seen
- Virtually eliminates false positives
Asset Risk Factor - Automatically assesses severity of breach
- Prioritization of risk and remediation
“Guest” “…Damballa Failsafe 5.0 intelligently uncovers
Network stealthy and hidden attacks masterfully avoiding
any false positive alerts. Frost & Sullivan views
this solution as a novel dimension to safeguard
corporate networks.”
4
5. Active Threat Monitoring (Enterprise Networks)
We discover hidden infections that have gone undetected
by preventative security measures:
APT, advanced malware, targeted attacks…whatever.
Network detection of suspicious downloads (inbound malware)
Endpoints communicating to suspicious destinations
Network behavior indicative of criminal communication
DNS look-ups & activity indicative of criminal behavior
Deep packet inspection and PCAPs of criminal traffic
Using the most advanced threat intelligence in the industry
Correlating observations of criminal activity to
positively identify hidden infections.
5
6. Damballa® Failsafe
1U Appliance
Management Console & Sensor(s)
Out-of-band (span or tap)
Captures and assesses evidence from egress,
proxy and DNS traffic to hunt for hidden threats
Can terminate criminal communications
Management Console pinpoints
compromised assets; provides network and
host forensics with criminal attribution
Integrated workflow….
6
7. Damballa® Labs
Thought Leadership Thought Leadership
Blackhat, Defcon, RSA, USENIX, ACSAC, NSDI,
HackerHalted, FIRST, ICDM, CCS, NDSS,
ISSA, IEEE, VB, etc. RAID, etc.
Threat Analysis Applied Research
Sr. Threat analysts Doctorate-level
10+ years experience Top-tier academics
ex NSA, CIA, DoD Big Data analysis
Reverse engineering Predictive analytics
Deep penetration Machine Learning
Publications Publications
Blogs, whitepapers, Top-tier academic
articles, training courses conferences and patents
Notable Research Backers
8
8. Damballa® FirstAlert Cyber Threat Intelligence
Malware
ISP
Sharing
Feeds
DNS
Reputation Feature Harvesters
Telco Systems Extractors
Malware Mobile
Drive-by
DNS
Correlation Predictive
DNS URI
Engines Systems
Corporate HoneyPot
Malware
PCAP DNS Email URI
DNS
URI
External
Data Feeds Mobile HoneyPot Registry Drive-by Blacklists
9
9. Emerging Threat Discovery
Predictive
Predictive Analysis Systems
Threat growth characteristics and C&C structure
are visible (and unique) at the DNS level.
Victims
Possible to identify new C&C
infrastructure prior to malware
being captured and analyzed
Damballa detects threat Malware continues to
weeks/months before evade signature-based
malware is detected detection
Weeks
Set-up Early Testing Attack Launched Malware First Malware
Updated 10
Discovered
10. Damballa® Failsafe
Enterprise Assets
DNS Proxy Egress
Damballa Sensor(s)
Deep Packet Inspection of All Internet Traffic
Damballa Cyber Threat Intelligence f
Is the destination shady?
• Suspicious destination, low reputation or known bad Correlation of
Is the traffic suspicious? ‘behaviors seen’
• Suspicious content, DPI of payload / executables / files pinpoints infected
Is the behavior automated? devices
• Do the events appear to be software or human driven
Damballa Failsafe identifies the ‘unknown’ threat,
victim machines actively communicating with cyber criminals.
11
12. Actionable Intelligence
Victims Relative Risk Threats Threat Activity
Identified Assessed Classified Qualified
Asset Risk Factor - relative risk posed by infected device
Bytes In Receiving instructions, updates, malware being repurposed? Local
Bytes Out Indicative of the amount of data stolen? Local
Connection Attempts How frequently is the asset communicating with a C&C? Local
Category Where does the asset sit / who does it belong to? Local
# of Threats Is the asset compromised with more than one threat? Local
Severity What is the risk of the threat? Global
AV Coverage For a specific threat, what is my relative AV coverage? Global
f(x)
13
13. Actionable Intelligence
Victims Relative Risk Threats Threat Activity
Identified Assessed Classified Qualified
Full forensics for all
behaviors seen
Full Forensics
• All Events in Sequence
• Full PCAPs for malicious traffic
• Malicious malware captured
• Malware trace reports (host and network behaviors)
• Bytes in / Bytes out
• Ports / Traffic type
• Connection status (failed, proxy blocked, completed)
• Category and priority of risk of endpoint
• Threat operator profile
• Endpoint compromise history
• Geo-location of C&C
14
14. Identifying Zero Day Malware
1 Identify Suspicious Files in Motion 2 Cloud Interrogation of Suspicious Files
Behaviors Seen & Benefits Behaviors Seen & Benefits
Suspicious files in motion Full malware lifecycle
Malicious structure Network & host behaviors
Source / URI identification AV scanner results
Unique victim enumeration Extensive dynamic analysis
Initial threat assessment Ongoing trace report updates
Zero day files captured Behaviors feed Damballa Labs
Full Malware Forensics Report in
3
the Damballa Failsafe Console
15
15. Identifying Criminal Communication
Behaviors Seen & Benefits
Malicious DNS queries
DNS Domain fast-fluxing detection DNS
C&C Location New domain queries
Recursive Authoritative
Unique victim enumeration
Victim
Detection prior to egress
Configuration File DNS query termination
Dynamic Generation Firewall
Algorithm (DGA)
Egress
C&C
Criminal Server
TCP/IP Session
Proxy
Filtering
Behaviors Seen & Benefits Behaviors Seen & Benefits
C&C connection behaviors/success C&C connection behaviors/success
URI identification (incl. HTTPS) URI identification (incl. HTTPS)
Malicious file identification (Malware) Malicious file identification (Malware)
Unique victim enumeration Unique victim enumeration
Detection prior to egress Bytes-in & bytes-out monitoring
Full packet capture Full packet capture
Session termination Session termination
16
16. Protection From The ‘Unknown’ Threat
Enables rapid, automated incident response
• Rapid and positive identification of compromised assets
• Asset Risk Factor and Threat Conviction Scores prioritize response
• Terminate malicious communications and/or sinkhole DNS requests
Provides comprehensive threat protection
• Platform agnostic: Windows, Linux, Apple, Android, Blackberry
• Leading academic research and advanced threat intelligence
Force multiplier for over-tasked security teams
• No more manual analysis of millions of lines of logs and false alerts
• Automated aggregation and assessment of evidence/forensics:
- Automatically Identifies the infection, threat and risk
- Provides actionable intelligence
• Security teams can focus on improving policies and threat defense
17
17. Competition and Value Proposition
Damballa’s unique strengths include:
Our solution has the ability to scale much better than our
competition. Our standard sensor handles 2 gbs.
We detect emerging threats and protect our customers even before
the malware is ever discovered and analysed by our competition.
We have a lower false positive rate than our competition and detect
accurately more threats.
18
19. Advanced Malware Infection Cycle
Criminal Command & Control
Multiple C&C proxies/Separate C&C portals
Malware updates Download Payload
Updater Site
Updates to list of C&C’s Downloader Host malware agent(s)
Confirm installation
Agent integrity checking Agent selection criteria
Locking ofIs this ato victim
agent real machine? Whitelisted repositories
Have I seen it before?
Remote access & control Unique malware agent
Update malware location
Data Repository
Repository
Dropper(s) Logging of install successes
C&C Portals
Encrypted files from victim
Stolen passwords & PII
Post Unpack
Disable local security Post Agent Install
Prevent updates/patches
Delete dropper/installer
Inventory victim C&C Proxies
Clear logs & events
Catalogue & inventory
Dropper unpacks on the Malware is
Victim machine and runs updated/customized
Victim
20
20. Advanced Malware Infection Cycle
Damballa Failsafe monitors network traffic and correlates suspicious
‘behaviors seen’ to rapidly identify assets under criminal control, and
stop data theft due to malware breaches.
Downloader
Repository
Dropper(s) C&C Portals
C&C Proxies
Dropper unpacks on the Malware is
Victim machine and runs updated/customized
Victim
21
Notas do Editor
As we discussed, the malware is increasingly capable of evading your security defenses. In addition, there are a whole host of infection vectors that can compromise your network and form the basis for a breach.Your mobile employees can bring malware into the organization when they reconnect to your network, and USB devices and such serve as other ‘carriers’ of malware.April 15, DarkReading– (International) SAP, other ERP applications at risk of targeted attacks. Backdoor Trojan viruses and rootkits that let attackers gain a foothold and remain entrenched in a compromised system aren’t just for Windows PCs anymore — SAP and other enterprise resource planning (ERP) applications are also susceptible to this form of attack. A researcher at Black Hat Europe in Barcelona, Spain this week demonstrated techniques for inserting backdoors into SAP applications to enable attackers to gain control of them. The director of research and development at Onapsis said an attacker would initially exploit weak, database protections or vulnerabilities in the underlying operating system, for instance, to gain access to the SAP apps and data. The hacks do not exploit any new or existing vulnerabilities in SAP. Once the system is compromised, the attacker would grab the necessary, elevated privileges to insert the stealthy backdoor code and remain under the radar to pilfer sensitive information. With the backdoor presence, the attacker could modify a victim company’s electronic payments to a vendor, for example. “So every automated payment to that vendor would go to the attacker’s *bank+ account *instead+,” the director said. Source: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=224400438
As we discussed, the malware is increasingly capable of evading your security defenses. In addition, there are a whole host of infection vectors that can compromise your network and form the basis for a breach.Your mobile employees can bring malware into the organization when they reconnect to your network, and USB devices and such serve as other ‘carriers’ of malware.April 15, DarkReading– (International) SAP, other ERP applications at risk of targeted attacks. Backdoor Trojan viruses and rootkits that let attackers gain a foothold and remain entrenched in a compromised system aren’t just for Windows PCs anymore — SAP and other enterprise resource planning (ERP) applications are also susceptible to this form of attack. A researcher at Black Hat Europe in Barcelona, Spain this week demonstrated techniques for inserting backdoors into SAP applications to enable attackers to gain control of them. The director of research and development at Onapsis said an attacker would initially exploit weak, database protections or vulnerabilities in the underlying operating system, for instance, to gain access to the SAP apps and data. The hacks do not exploit any new or existing vulnerabilities in SAP. Once the system is compromised, the attacker would grab the necessary, elevated privileges to insert the stealthy backdoor code and remain under the radar to pilfer sensitive information. With the backdoor presence, the attacker could modify a victim company’s electronic payments to a vendor, for example. “So every automated payment to that vendor would go to the attacker’s *bank+ account *instead+,” the director said. Source: http://www.darkreading.com/security/vulnerabilities/showArticle.jhtml?articleID=224400438
[Failsafe Screen Shot]With Damballa Failsafe, Security Analyst and Incident Responders no longer need to react to noisy alerts or manually search through logs to identify infections. Damballa Failsafe automatically captures evidence of malicious communications, correlates the suspicious events, and pinpoints those assets under criminal control and enables you to stop the loss of sensitive data. Victim machines are automatically assigned a Risk Factor to prioritize the compromises that require immediate attention.All forensic evidence is displayed …. and ongoing monitoring allows you to ensure you have successfully remediated the threat. For each Threat that we identify on a victim machine, we provide a Threat Conviction Score indicating the confidence level we are placing on our detection based on the behaviors we have seen.And for every infected asset, we provide a Asset Risk Factor, indicating which assets we believe represent the biggest risks to your enterprise and represent the biggest risk for data loss and breach activity. This allows your incident response team to easily prioritize their remediation and investigation activities…*****
[Failsafe Screen Shot]With Damballa Failsafe, Security Analyst and Incident Responders no longer need to react to noisy alerts or manually search through logs to identify infections. Damballa Failsafe automatically captures evidence of malicious communications, correlates the suspicious events, and pinpoints those assets under criminal control and enables you to stop the loss of sensitive data. Victim machines are automatically assigned a Risk Factor to prioritize the compromises that require immediate attention.All forensic evidence is displayed …. and ongoing monitoring allows you to ensure you have successfully remediated the threat. For each Threat that we identify on a victim machine, we provide a Threat Conviction Score indicating the confidence level we are placing on our detection based on the behaviors we have seen.And for every infected asset, we provide a Asset Risk Factor, indicating which assets we believe represent the biggest risks to your enterprise and represent the biggest risk for data loss and breach activity. This allows your incident response team to easily prioritize their remediation and investigation activities…*****
[Failsafe Screen Shot]With Damballa Failsafe, Security Analyst and Incident Responders no longer need to react to noisy alerts or manually search through logs to identify infections. Damballa Failsafe automatically captures evidence of malicious communications, correlates the suspicious events, and pinpoints those assets under criminal control and enables you to stop the loss of sensitive data. Victim machines are automatically assigned a Risk Factor to prioritize the compromises that require immediate attention.All forensic evidence is displayed …. and ongoing monitoring allows you to ensure you have successfully remediated the threat. For each Threat that we identify on a victim machine, we provide a Threat Conviction Score indicating the confidence level we are placing on our detection based on the behaviors we have seen.And for every infected asset, we provide a Asset Risk Factor, indicating which assets we believe represent the biggest risks to your enterprise and represent the biggest risk for data loss and breach activity. This allows your incident response team to easily prioritize their remediation and investigation activities…*****
Step 1Indictment PhaseSensors will identify all raw PE32 and PDF files seen in trafficSensors examine each file for MD5, source, and structureDecision is made if the file is “Suspicious” or “Malicious” AKA ‘The Indictment’If indicted as “Malicious”, it means we have seen the MD5 hash before, otherwise…File is listed as ‘Unverified’ in Asset Summary Screen & Suspicious File ReportReasons for Suspicion are displayedAt this point, Malware Admin can save the file to local machineIf ‘Indicted’ then file goes to the cloud for processing (Auto / Manual Submit)Auto: File is sent immediately to Damballa Labs for processingManual: Customer must hit submit (Asset Summary Screen / Suspicious File ReportStep 2Conviction PhaseDamballa Labs runs file through AV scanners, Dynamic Analysis in Dirty SpaceDamballa Labs reviews system outputs and makes a decisionMalicious | Suspicious | BenignMalicious files are now part of training sets and continuously examinedBy examining malware at Damballa Labs, the behaviors identified enable:Malware Grouping & Clustering Threat operator enumeration and attributionMalware & C&C Linkage Malware family-tree reconstructionPublic Victim Enumeration Authoritative DNS and Sinkholing of domainsNetwork Behavioral Clustering 0-day exploit and malware family discoveryPay-per-Install Milking New droppers & payloads from crime serversLong-term Monitoring Specific malware and threat infiltrationStep3Malware Forensics ReportTarget delivery time is 10 minutes for initial reportReport includes:Reason why convicted as ‘Malicious’, ‘Suspicious’ or ‘Benign’Summary ReportDetailed ReportReports are ‘living’ – they are updated constantly as we learn more about malwareEnables Actionable intelligence for Remediation efforts, risk prioritization, and delivery of file to AV vendors for signature creation