The Slingshot Project

Size: px

Start display at page:

Download "The Slingshot Project"

Deborah Hicks
8 years ago
Views:

1 The Slingshot Project Measuring, analyzing, and defending against targeted attacks Stevens Le Blond

2 Software security model Obscurity Reactivity Correctness Isolation 2

3 # users Skype enables large-scale IP tracking # days 3

4 and targeted tracking Stevens Paul Francis (my boss) 12/9/10 I would like to use you as an example to show that I can find the IP of anyone who has logged on Skype in 72 hours. Is that OK with you? 12/9/10 You can use me as an example. I don't care if my IP address is private or not! 12/12/10 BTW, am I to understand that you know what P2P downloads I have made? 12/15/10 Everybody was very impressed with your visit, and we'd be delighted if you could do a post-doc here. 4

5 Four years later DoS me! Paul,Francis 5

6 Open research problems Traffic analysis (Aqua project): Can break most anonymity networks e.g., >98.3% of anonymous VoIP calls traced after one month based on real voice workload Can we build apps that resist traffic analysis? Targeted attacks (this talk): How are they carried out today? What does it teach us about defenses? 6

7 Targeted attacks Stuxnet: RSA watering-hole attack: Now Targets: Government Company NGO/Civilians 2014 peer-reviewed studies on targeted attacks Entice specific users, organizations, or communities into installing malware 7

Outline Attacker(s) Email services Target(s) NGO Data

control? How sophisticated is social engineering?

8 Outline Attacker(s) services Target(s) NGO Data Malware Social engineering How specialized is command and control? How sophisticated is social engineering? What are the most common attack vectors? Attack vectors Future work 8

9 A look at targeted attacks through the lense of an NGO Joint work with: Adina Uritesc, Cedric Gilbert, Zheng Leong Chua, Prateek Saxena, Engin Kirda

10 Outline Attacker(s) services Target(s) NGO Data Malware Social engineering How specialized is command and control? How sophisticated is social engineering? What are the most common attack vectors? Attack vectors Future work 10

11 Our dataset of targeted attacks Contacted >100 NGOs in 2013 The target: WUC Collaborate with a targeted human-rights NGO (WUC) representing the Uyghur Two NGO affiliates share >1.5k suspicious s (>1.1k w/ malware) Attack numerous related targets with same s (via To or Cc) 11

12 What organizations are being targeted? >100 targeted organizations Dataset captures attacks against NGOs and few high-profile targets 12

13 Example of targeted attack 13

14 Outline Attacker(s) services Target(s) WUC Data Malware How specialized is command and control? How sophisticated is social engineering? What are the most common attack vectors? Social engineering Attack vectors Future work 14

15 How specialized is Command and Control (C2)? Federal gov. State and local gov. Cluster >500 samples >25% of malware linked to known groups One group (DTL) targeted wide range of industries Same C2 used for diverse organizations / industries Services/Consulting/VAR Financial services Telecommunications Aerospace/Defense/Airlines Energy/Utilities/Petroleum refining Healthcare/Pharmaceuticals Entertainment/Media/Hospitality Insurance Chemicals/Manufacturing/Mining High-tech Higher educations Source: FireEye WUC 15

16 Outline Attacker(s) services Target(s) WUC Data Malware Social engineering Attack vectors Future work How specialized is command and control? How sophisticated is social engineering? What is the timing of attacks? After compromise Are topic and language tailored to targets? Do s impersonate contacts of targets? What are the most common attack vectors? 16

17 What is the timing of attacks? Volunteer joined WUC Others ETUE WUC Volunteer Time Attacks occur often; over long time periods; sprayed over several targets 17

18 Fraction of malicious s Are topic and language tailored to targets? 1,116 51% 29% 12% 2% 4% Topics Topics and languages are manually tailored to targets 18

19 Fraction of malicious s Do s impersonate contacts of targets? Years Attackers exploit legitimacy of targets real social contacts 19

20 Outline Attacker(s) services Target(s) WUC Data Malware Social engineering How specialized is command and control? How sophisticated is social engineering? What are the most common attack vectors? Attack vectors Future work 20

21 Timeline of exploited vulnerabilities Time (years) Attacks exploit recent but disclosed vulnerabilities (no 0-days) 21

22 Detection rate (In)effectiveness of reactive security GMail Hotmail Yahoo! Fails to detect even old exploits 22

23 # malicious documents Impact of application-level isolation Acrobat X deploys isolation Time Significantly raises the bar 23

24 Future work Attacker(s) Defenses Target(s) Data Malware Social engineering Attack vectors Future work Generalize results Monitoring and attack attribution Defenses Detection of contact impersonation Dynamic analysis in controlled env. Spatio-temporal, OS-based isolation 24

25 Detecting contact impersonation in spear-phishing attacks Joint work with: Istemi Ekin Akkus, Cedric Gilbert, Peter Druschel

26 Do spam filters detect spoofed s? Existing filters fail to detect spoofed contacts 26

27 Unilateral detection of contact impersonation in malicious s A browser extension that leverages: Typo s/names Authentication Writing style Switches to crypto signatures if both users support it Optionally uploads attachments for dynamic analysis 27

28 Experimental setup Incoming s (testing set) Authorship verification (Writeprints w/ training set) Impersonated s Legit s 28

29 Experimental setup cont. Enron dataset Keep users with >= 4.5k words Emulate impersonated s Verify authorship of s >= 25 words Accuracy metrics Recall: Fraction of attacks detected Precision: Fraction of warnings corresponding to attacks What accuracy of authorship verification for workload? 29

30 CDF of senders Can we verify that legitimate contact wrote ? Recall / precision rates We can verify authorship with high accuracy 30

31 Future work Attacker(s) Defenses Target(s) Data Malware Social engineering Attack vectors Future work Generalize results Monitoring and attack attribution Defenses Detection of contact impersonation Dynamic analysis in controlled env. Spatio-temporal, OS-based isolation 31

32 Take home messages Low-volume, socially engineered communications which entice specific targets into installing malware Malware: Same entities target corporations, political institutions, and NGOs Download dataset at slingshot.mpi-sws.org Social engineering: Topic, language, and senders manually tailored to targets Stylometry accurately detects contact impersonation Attack vectors: Recent but disclosed vulnerabilities that evade reactive defenses Data indicates isolation is effective in the wild 32

A Look at Targeted Attacks Through the Lense of an NGO

A Look at Targeted Attacks Through the Lense of an NGO Stevens Le Blond, Adina Uritesc, and Cédric Gilbert, Max Planck Institute for Software Systems (MPI-SWS); Zheng Leong Chua and Prateek Saxena, National