Overview. Introduction. Conclusions WINE TRIAGE. Zero day analysis. Symantec Research Labs (SRL)

Transcription

1 1

2 Overview Introduction WINE TRIAGE Zero day analysis Conclusions 2

3 5 locations: USA: Mountain View (CA), Culver City (CA), Herndon (VA) Europe: Dublin (IE), Sophia Antipolis(FR).. 4 thematic domains: Storage and Systems Network and Cloud User Productivity and Protection Information and Intelligence 3

4 Charter Develop key technologies and explore unchartered territories Operational Model Work closely with existing and emerging businesses Identify and work on relevant hard technical challenges Collaborate with external academic and industrial experts on externally funded projects Success Factors Transfer technology Develop new intellectual property Forge research collaborations and publish innovative work 4

5 Funded Projects NICE (2.5 Years) MINESTRONE (4.3 Years) MEERKATS (4 Years) VIS SENSE (3 Years) VAMPIRE (3.5 Years) CRISALIS (3 Years) BIG FOOT (3 Years) ACCEPT (3 Years) CONFIDENT MT (3 Years) 5

6 New challenges, new responsibilities The recent changes in the threat landscape should impact the research in computer security More inter disciplinary research More experimental results that can be reproduced Better transfer rate between research and products/solutions/services What we really try to avoid at SRL: Running authors Dahusian Research 6

7 Scientific method In general, computer security research (ours included) is not always carried out according to sound scientific methods: principles and procedures for the systematic pursuit of knowledge involving the recognition and formulation of a problem, the collection of data through observation and experiment, and the formulation and testing of hypotheses (Merriam Webster dictionary) 7

8 Overview Introduction WINE TRIAGE Zero day analysis Conclusions 8

9 Goals of WINE Project Enable sound experimentation for computer security Real world representative datasets Repeatable experiments Promote good science Enable independent verification Ensure statistical relevance Validation of academic research Scientific rigor WINE Collaboration with Symantec 9

10 WINE WINE aims at fostering collaboration in a simple, flexible and scalable way, internally as well as externally. WINE aims at improving rigorous and sound experimental research within the computer security domain (to start with). WINE aims at providing academic researchers with an environment suitable to validate experimentally their research on the ever changing threat landscape. 10

11 Some questions you may have at this point Why are we doing WINE? What. data sets does WINE contain? Who can get access to WINE? How can you get access to WINE? 11

12 Intellectual property and usage Non disclosure agreements to protect the confidentiality of the shared data but with a provision for publication Symantec receives copies of all research products Researchers assume all risks and liabilities from use of data All right, title and interest belong to the researchers Unless licensing exception is negotiated beforehand Data set should be acknowledged in publications 12

13 Operational Model 1 Malware Samples Proposal Hypothesis Data needed 3 2 WINE Catalog NDA 7 Isolated Red Lab 5 6 Contract 4 Researcher 7 Virtualized Server DB 5 6 Publication Ack: WINE 8 Contextual information 13

14 Representation vs. Reality 14

15 Overview Introduction WINE TRIAGE Zero day analysis Conclusions 15

16 Security Intelligence The TRIAGE approach Clustering based on Multi Criteria Decision Analysis (MCDA) Automatic grouping of elements likely to share the same root causes Features Selection Σ Events Per feature Graph based analysis (Build relationships) Multi criteria Aggregation (data fusion) Multi Dimensional Clusters (MDC s) (visualization) Vague statements on the nr of criteria At least k strong similarities Importances & Interactions among criteria 16

17 Case Study: Industrial Espionage and Targeted Attacks (ISTR XVII) O. Thonnard, L. Bilge, G. O Gorman, S. Kiernan, and M. Lee. Industrial Esponage and Targeted Attacks: Characteristics of an Escalating Threat 15 th Int. Symposium on Research in Attacks, Intrusions, and Defenses (RAID 12) 17

18 Targeted Attacks Experimental Data Set A targeted attack is defined as: low copy number attacks carrying malicious attachments showing some clear evidence of a selection of the subject and the targets embedding a relatively sophisticated malware Jan 2011 Jul 2012: Symantec.cloud blocked over 58,000 targeted attacks Stemming from processing billions s (carrying 500k+ malware) each day Detection: SKEPTIC technology, manual analysis, dynamic analysis All attacks were enriched with additional features: AV signatures for attached files Dynamic analysis Files read or created, network connections, C&C domains, etc. 18

19 TRIAGE Looking for Attack Campaigns 19

20 Targeted Attack Campaigns High level Figures An Attack Campaign (AC) is a series of targeted attacks that: 1. Are linked by a sufficient Nr of highly similar features 2. Are likely to originate from the same people (because of 1.) 3. On the same day or spanning multiple days (consecutive or not) In 2011, on average a targeted attack campaign: comprised 78 attacks was targeting 61 addresses within a 4 days period Single attack? 20

21 Massive Organizational Targeted Attacks (MOTA) Example: NR4 campaign (Darkmoon) 3 attackers 848 s on 16 dates over 3 months 21

22 NR4/Darkmoon campaign Comparing s (1) Attacker #1 Different dates Attacker #2 [removed] [removed] Same attack, but on different targets! Same malicious file (same MD5) [ + same C&C server ] 22

23 NR4/Darkmoon campaign Comparing s (2) Attacker #2 Same date here Attacker #3 New attack, on different targets! Clear connection with Attacker #2 New malicious files, reused by Attacker #3 23

24 NR4/Darkmoon campaign Comparing s (3) Attacker #2 Yet other dates Attacker #3 New attack from Attacker #2, but this time in Chinese [ + again, same C&C server ] All attacks were using the same vulnerability (SWF/CVE C ) New attack from Attacker #3, on yet another target 24

25 Overview Introduction WINE TRIAGE Zero day analysis Conclusions 25

26 Zero day attacks: how prevalent are they? Leyla Bilge and Tudor Dumitras. "Before we knew it: an empirical study of zero-day attacks in the real world. Proc. of the 2012 ACM conference on Computer and communications security (ACM CCS 2012), pp

27 Zero day (0 day, Day zero) Attacks Takes advantage of unknown vulnerabilities on programs before They are discovered They are publicly disclosed Asecurity patch is provided by the software vendor Common definition An attack that uses a zero day (0 day) exploit 27

28 WINE datasets for 0 day attack analysis Data collected since Dec M detections 9M hosts A/V Telemetry Virus detections Data collected since Feb Billion downloads 11M hosts 300M distinct files Binary Reputation File downloads T 0 Exploit Disclosure Patch 28

29 Results 3 in in in in 2011 OSVDB Vulnerabilities A/V Telemetry Virus detections Binary Reputation File downloads Found 18 zero day vulnerabilities 11 not known T 0 Exploit Months 6 Disclosure Patch 29

30 Zero day vulnerabilities after disclosure Malware variants CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE CVE t Time [weeks] 30

31 To disclose or not to disclose Ongoing debate on the benefits of full disclosure policy Public disclosure provides an incentive for vendors to patch faster On the other hand, disclosing vulnerabilities causes an increase in the volume of attacks 31

32 Disarming Spear Phishing Attachments.. Problem: Majority of the targeted attacks and APT infections use spear phishing s with attachments Contain malicious active content, or exploit payloads targeting parser vulnerabilities Existing solutions: Signature based document scanning Targets only spam and known malicious executables/documents Fails to address zero day vulnerabilities in DOC, PPT, PDF, XLS, Potential solution: Reconstruct inbound, externally received attachments from scratch (maintaining visual fidelity) 32

33 Before After Can you spot the difference? 33

34 The document on the left, is visually identical to the document on the right. The document on the left contained malicious java script. When the recipient opened it installed a browser extension. The browser extension downloaded a keystroke logger. The keystroke logger fed passwords back to a command & control host. This allowed entry into the environment as an authenticated user. Before After Neither can the recipient. 34

35 Disarming Spear Phishing: Deployment Combating APTs is more than just preventing the initial intrusion.. 35

36 Conclusions The threat landscape is changing We need sound scientific approaches and relevant research WINE is there for you. Use it! We are also, of course, welcoming collaboration opportunities! 36

37 Thank you! WINE Can be used without moderation Copyright 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. 37