1
Overview Introduction WINE TRIAGE Zero day analysis Conclusions 2
5 locations: USA: Mountain View (CA), Culver City (CA), Herndon (VA) Europe: Dublin (IE), Sophia Antipolis(FR).. 4 thematic domains: Storage and Systems Network and Cloud User Productivity and Protection Information and Intelligence 3
Charter Develop key technologies and explore unchartered territories Operational Model Work closely with existing and emerging businesses Identify and work on relevant hard technical challenges Collaborate with external academic and industrial experts on externally funded projects Success Factors Transfer technology Develop new intellectual property Forge research collaborations and publish innovative work 4
Funded Projects 2009 2010 2011 2012 2013 2014 2015 2016 NICE (2.5 Years) MINESTRONE (4.3 Years) MEERKATS (4 Years) VIS SENSE (3 Years) VAMPIRE (3.5 Years) CRISALIS (3 Years) BIG FOOT (3 Years) ACCEPT (3 Years) CONFIDENT MT (3 Years) 5
New challenges, new responsibilities The recent changes in the threat landscape should impact the research in computer security More inter disciplinary research More experimental results that can be reproduced Better transfer rate between research and products/solutions/services What we really try to avoid at SRL: Running authors Dahusian Research 6
Scientific method In general, computer security research (ours included) is not always carried out according to sound scientific methods: principles and procedures for the systematic pursuit of knowledge involving the recognition and formulation of a problem, the collection of data through observation and experiment, and the formulation and testing of hypotheses (Merriam Webster dictionary) 7
Overview Introduction WINE TRIAGE Zero day analysis Conclusions 8
Goals of WINE Project Enable sound experimentation for computer security Real world representative datasets Repeatable experiments Promote good science Enable independent verification Ensure statistical relevance Validation of academic research Scientific rigor WINE Collaboration with Symantec http://www.symantec.com/wine 9
WINE WINE aims at fostering collaboration in a simple, flexible and scalable way, internally as well as externally. WINE aims at improving rigorous and sound experimental research within the computer security domain (to start with). WINE aims at providing academic researchers with an environment suitable to validate experimentally their research on the ever changing threat landscape. 10
Some questions you may have at this point Why are we doing WINE? What. data sets does WINE contain? Who can get access to WINE? How can you get access to WINE? 11
Intellectual property and usage Non disclosure agreements to protect the confidentiality of the shared data but with a provision for publication Symantec receives copies of all research products Researchers assume all risks and liabilities from use of data All right, title and interest belong to the researchers Unless licensing exception is negotiated beforehand Data set should be acknowledged in publications 12
Operational Model 1 Malware Samples Proposal Hypothesis Data needed 3 2 WINE Catalog NDA 7 Isolated Red Lab 5 6 Contract 4 Researcher 7 Virtualized Server DB 5 6 Publication Ack: WINE 8 Contextual information 13
Representation vs. Reality 14
Overview Introduction WINE TRIAGE Zero day analysis Conclusions 15
Security Intelligence The TRIAGE approach Clustering based on Multi Criteria Decision Analysis (MCDA) Automatic grouping of elements likely to share the same root causes Features Selection Σ Events Per feature Graph based analysis (Build relationships) Multi criteria Aggregation (data fusion) Multi Dimensional Clusters (MDC s) (visualization) Vague statements on the nr of criteria At least k strong similarities Importances & Interactions among criteria 16
Case Study: Industrial Espionage and Targeted Attacks (ISTR XVII) O. Thonnard, L. Bilge, G. O Gorman, S. Kiernan, and M. Lee. Industrial Esponage and Targeted Attacks: Characteristics of an Escalating Threat 15 th Int. Symposium on Research in Attacks, Intrusions, and Defenses (RAID 12) 17
Targeted Attacks Experimental Data Set A targeted attack is defined as: low copy number attacks carrying malicious email attachments showing some clear evidence of a selection of the subject and the targets embedding a relatively sophisticated malware Jan 2011 Jul 2012: Symantec.cloud blocked over 58,000 targeted attacks Stemming from processing billions emails (carrying 500k+ malware) each day Detection: SKEPTIC technology, manual analysis, dynamic analysis All email attacks were enriched with additional features: AV signatures for attached files Dynamic analysis Files read or created, network connections, C&C domains, etc. 18
TRIAGE Looking for Attack Campaigns 19
Targeted Attack Campaigns High level Figures An Attack Campaign (AC) is a series of targeted attacks that: 1. Are linked by a sufficient Nr of highly similar features 2. Are likely to originate from the same people (because of 1.) 3. On the same day or spanning multiple days (consecutive or not) In 2011, on average a targeted attack campaign: comprised 78 attacks was targeting 61 email addresses within a 4 days period Single attack? 20
Massive Organizational Targeted Attacks (MOTA) Example: NR4 campaign (Darkmoon) 3 attackers 848 emails on 16 dates over 3 months 21
NR4/Darkmoon campaign Comparing Emails (1) Attacker #1 Different dates Attacker #2 [removed] [removed] Same attack, but on different targets! Same malicious file (same MD5) [ + same C&C server ] 22
NR4/Darkmoon campaign Comparing Emails (2) Attacker #2 Same date here Attacker #3 New attack, on different targets! Clear connection with Attacker #2 New malicious files, reused by Attacker #3 23
NR4/Darkmoon campaign Comparing Emails (3) Attacker #2 Yet other dates Attacker #3 New attack from Attacker #2, but this time in Chinese [ + again, same C&C server ] All attacks were using the same vulnerability (SWF/CVE-2011-0611.C ) New attack from Attacker #3, on yet another target 24
Overview Introduction WINE TRIAGE Zero day analysis Conclusions 25
Zero day attacks: how prevalent are they? Leyla Bilge and Tudor Dumitras. "Before we knew it: an empirical study of zero-day attacks in the real world. Proc. of the 2012 ACM conference on Computer and communications security (ACM CCS 2012), pp. 833-844 26
Zero day (0 day, Day zero) Attacks Takes advantage of unknown vulnerabilities on programs before They are discovered They are publicly disclosed Asecurity patch is provided by the software vendor Common definition An attack that uses a zero day (0 day) exploit 27
WINE datasets for 0 day attack analysis Data collected since Dec 2009 225M detections 9M hosts A/V Telemetry Virus detections Data collected since Feb 2008 32 Billion downloads 11M hosts 300M distinct files Binary Reputation File downloads T 0 Exploit Disclosure Patch 28
Results 3 in 2008 7 in 2009 6 in 2010 2 in 2011 OSVDB Vulnerabilities A/V Telemetry Virus detections Binary Reputation File downloads Found 18 zero day vulnerabilities 11 not known T 0 Exploit 30 24 18 12 Months 6 Disclosure Patch 29
Zero day vulnerabilities after disclosure 100000 10000 1000 100 Malware variants CVE-2009-4324 CVE-2010-2883 CVE-2010-0028 CVE-2009-0658 CVE-2009-0084 CVE-2010-1241 CVE-2010-2862 CVE-2010-0480 CVE-2009-0561 CVE-2009-3126 CVE-2008-2249 CVE-2009-2501 CVE-2008-0015 10 CVE-2011-1331 CVE-2009-1134 1-100 -50 t 0 50 100 150 Time [weeks] 30
To disclose or not to disclose Ongoing debate on the benefits of full disclosure policy Public disclosure provides an incentive for vendors to patch faster On the other hand, disclosing vulnerabilities causes an increase in the volume of attacks 31
Disarming Spear Phishing Attachments.. Problem: Majority of the targeted attacks and APT infections use spear phishing emails with attachments Contain malicious active content, or exploit payloads targeting parser vulnerabilities Existing solutions: Signature based document scanning Targets only spam and known malicious executables/documents Fails to address zero day vulnerabilities in DOC, PPT, PDF, XLS, Potential solution: Reconstruct inbound, externally received attachments from scratch (maintaining visual fidelity) 32
Before After Can you spot the difference? 33
The document on the left, is visually identical to the document on the right. The document on the left contained malicious java script. When the recipient opened it installed a browser extension. The browser extension downloaded a keystroke logger. The keystroke logger fed passwords back to a command & control host. This allowed entry into the environment as an authenticated user. Before After Neither can the recipient. 34
Disarming Spear Phishing: Deployment Combating APTs is more than just preventing the initial intrusion.. 35
Conclusions The threat landscape is changing We need sound scientific approaches and relevant research WINE is there for you. Use it! We are also, of course, welcoming collaboration opportunities! 36
Thank you! WINE Can be used without moderation www.symantec.com/wine marc_dacier@symantec.com Copyright 2013 Symantec Corporation. All rights reserved. Symantec and the Symantec Logo are trademarks or registered trademarks of Symantec Corporation or its affiliates in the U.S. and other countries. Other names may be trademarks of their respective owners. This document is provided for informational purposes only and is not intended as advertising. All warranties relating to the information in this document, either express or implied, are disclaimed to the maximum extent allowed by law. The information in this document is subject to change without notice. 37