The Slingshot Project

Similar documents
A Look at Targeted Attacks Through the Lense of an NGO

A Look at Targeted Attacks Through the Lense of an NGO

The Devil is Phishing: Rethinking Web Single Sign On Systems Security. Chuan Yue USENIX Workshop on Large Scale Exploits

SECURITY REIMAGINED SPEAR PHISHING ATTACKS WHY THEY ARE SUCCESSFUL AND HOW TO STOP THEM. Why Automated Analysis Tools are not Created Equal

Spear Phishing Attacks Why They are Successful and How to Stop Them

White paper. Phishing, Vishing and Smishing: Old Threats Present New Risks

SPEAR-PHISHING ATTACKS

Fighting Advanced Threats

Complete Protection against Evolving DDoS Threats

Advanced Persistent Threats

Covert Operations: Kill Chain Actions using Security Analytics

SPEAR PHISHING UNDERSTANDING THE THREAT

Targeted attacks: Tools and techniques

The PA-4000 Series can add visibility and control into your network for webmail applications to stop incoming threats and limit uploaded data.

White paper. TrusGuard DPX: Complete Protection against Evolving DDoS Threats. AhnLab, Inc.

CS 356 Lecture 17 and 18 Intrusion Detection. Spring 2013

Defense Media Activity Guide To Keeping Your Social Media Accounts Secure

How To Prevent Hacker Attacks With Network Behavior Analysis

INSTANT MESSAGING SECURITY

OVERVIEW. 1. Cyber Crime Unit organization. 2. Legal framework. 3. Identity theft modus operandi. 4. How to avoid online identity theft

THE SMARTEST WAY TO PROTECT WEBSITES AND WEB APPS FROM ATTACKS

Defending Against Cyber Attacks with SessionLevel Network Security

LASTLINE WHITEPAPER. In-Depth Analysis of Malware

MySpam filtering service Protection against spam, viruses and phishing attacks

Avoiding Malware in Your Dental Practice. 10 Best Practices to Defend Your Data

Intrusion Detection for Mobile Ad Hoc Networks

Recommended IP Telephony Architecture

Avoiding Malware in Your Dental Practice. 10 Best Practices to Defend Your Data

THE ROLE OF IDS & ADS IN NETWORK SECURITY

The Hillstone and Trend Micro Joint Solution

GUIDE TO KEEPING YOUR SOCIAL MEDIA ACCOUNTS SECURE

CS 558 Internet Systems and Technologies

Overview An Evolution. Improving Trust, Confidence & Safety working together to fight the beast. Microsoft's online safety strategy

Inspection of Encrypted HTTPS Traffic

NATIONAL CYBER SECURITY AWARENESS MONTH

Malicious Mitigation Strategy Guide

SANS Top 20 Critical Controls for Effective Cyber Defense

Books and Beyond. Erhan J Kartaltepe, Paul Parker, and Shouhuai Xu Department of Computer Science University of Texas at San Antonio

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

How We're Getting Creamed

Secure Your Mobile Workplace

Intro to Firewalls. Summary

McAfee Network Security Platform

How to Protect against the Threat of Spearphishing Attacks

Protecting Your Organisation from Targeted Cyber Intrusion

This session was presented by Jim Stickley of TraceSecurity on Wednesday, October 23 rd at the Cyber Security Summit.

Managing Web Security in an Increasingly Challenging Threat Landscape

Locking down a Hitachi ID Suite server

PFP Technology White Paper

Achieving Truly Secure Cloud Communications. How to navigate evolving security threats

Streamlining Web and Security

BYPASSING THE ios GATEKEEPER

Web application security Executive brief Managing a growing threat: an executive s guide to Web application security.

SPEAR PHISHING AN ENTRY POINT FOR APTS

Who Drives Cybersecurity in Your Business? Milan Patel, K2 Intelligence. AIBA Quarterly Meeting September 10, 2015

The Evolving Threat Landscape and New Best Practices for SSL

Securing Cloud-Based

Top 10 Anti-fraud Tips: The Cybersecurity Breach Aftermath

Introducing IBM s Advanced Threat Protection Platform

Combating the Next Generation of Advanced Malware

Information Security Basic Concepts

Gmail setup for administrators

An Anomaly-Based Method for DDoS Attacks Detection using RBF Neural Networks

CS 640 Introduction to Computer Networks. Network security (continued) Key Distribution a first step. Lecture24

Networks and Security Lab. Network Forensics

How Web Application Security Can Prevent Malicious Attacks

Malware, Phishing, and Cybercrime Dangerous Threats Facing the SMB State of Cybercrime

Kaspersky Fraud Prevention: a Comprehensive Protection Solution for Online and Mobile Banking

How to Spot and Combat a Phishing Attack Webinar

LASTLINE WHITEPAPER. Large-Scale Detection of Malicious Web Pages

Networks & Security Course. Web of Trust and Network Forensics

UNCLASSIFIED Version 1.0 May 2012

Does your Citrix or Terminal Server environment have an Achilles heel?

Cyber Security. Securing Your Mobile and Online Banking Transactions

VIDEO Intypedia013en LESSON 13: DNS SECURITY. AUTHOR: Javier Osuna García-Malo de Molina. GMV Head of Security and Process Consulting Division

Cisco Advanced Services for Network Security

Enterprise Apps: Bypassing the Gatekeeper

Spam, Spyware, Malware and You! Don't give up just yet! Presented by: Mervin Istace Provincial Library Saskatchewan Learning

Top five strategies for combating modern threats Is anti-virus dead?

Why The Security You Bought Yesterday, Won t Save You Today

Client Server Registration Protocol

Applying machine learning techniques to achieve resilient, accurate, high-speed malware detection


ADVANCED THREATS IN THE ENTERPRISE. Finding an Evil in the Haystack with RSA ECAT. White Paper

Where every interaction matters.

SHORT MESSAGE SERVICE SECURITY

Why is a strong password important?

Network Service, Systems and Data Communications Monitoring Policy

Transcription:

The Slingshot Project Measuring, analyzing, and defending against targeted attacks Stevens Le Blond

Software security model Obscurity Reactivity Correctness Isolation 2

# users Skype enables large-scale IP tracking # days 3

and targeted tracking Stevens Paul Francis (my boss) 12/9/10 I would like to use you as an example to show that I can find the IP of anyone who has logged on Skype in 72 hours. Is that OK with you? 12/9/10 You can use me as an example. I don't care if my IP address is private or not! 12/12/10 BTW, am I to understand that you know what P2P downloads I have made? 12/15/10 Everybody was very impressed with your visit, and we'd be delighted if you could do a post-doc here. 4

Four years later DoS me! Paul,Francis 5

Open research problems Traffic analysis (Aqua project): Can break most anonymity networks e.g., >98.3% of anonymous VoIP calls traced after one month based on real voice workload Can we build apps that resist traffic analysis? Targeted attacks (this talk): How are they carried out today? What does it teach us about defenses? 6

Targeted attacks Stuxnet: RSA watering-hole attack: 2010 2012 Now Targets: Government Company NGO/Civilians 2014 peer-reviewed studies on targeted attacks Entice specific users, organizations, or communities into installing malware 7

Outline Attacker(s) Email services Target(s) NGO Data Malware Social engineering How specialized is command and control? How sophisticated is social engineering? What are the most common attack vectors? Attack vectors Future work 8

A look at targeted attacks through the lense of an NGO Joint work with: Adina Uritesc, Cedric Gilbert, Zheng Leong Chua, Prateek Saxena, Engin Kirda

Outline Attacker(s) Email services Target(s) NGO Data Malware Social engineering How specialized is command and control? How sophisticated is social engineering? What are the most common attack vectors? Attack vectors Future work 10

Our dataset of targeted attacks Contacted >100 NGOs in 2013 The target: WUC Collaborate with a targeted human-rights NGO (WUC) representing the Uyghur Two NGO affiliates share >1.5k suspicious emails (>1.1k w/ malware) Attack numerous related targets with same emails (via To or Cc) 11

What organizations are being targeted? >100 targeted organizations Dataset captures attacks against NGOs and few high-profile targets 12

Example of targeted attack 13

Outline Attacker(s) Email services Target(s) WUC Data Malware How specialized is command and control? How sophisticated is social engineering? What are the most common attack vectors? Social engineering Attack vectors Future work 14

How specialized is Command and Control (C2)? Federal gov. State and local gov. Cluster >500 samples >25% of malware linked to known groups One group (DTL) targeted wide range of industries Same C2 used for diverse organizations / industries Services/Consulting/VAR Financial services Telecommunications Aerospace/Defense/Airlines Energy/Utilities/Petroleum refining Healthcare/Pharmaceuticals Entertainment/Media/Hospitality Insurance Chemicals/Manufacturing/Mining High-tech Higher educations Source: FireEye WUC 15

Outline Attacker(s) Email services Target(s) WUC Data Malware Social engineering Attack vectors Future work How specialized is command and control? How sophisticated is social engineering? What is the timing of attacks? After compromise Are topic and language tailored to targets? Do emails impersonate contacts of targets? What are the most common attack vectors? 16

What is the timing of attacks? Volunteer joined WUC Others ETUE WUC Volunteer Time Attacks occur often; over long time periods; sprayed over several targets 17

Fraction of malicious emails Are topic and language tailored to targets? 1,116 51% 29% 12% 2% 4% Topics Topics and languages are manually tailored to targets 18

Fraction of malicious emails Do emails impersonate contacts of targets? Years Attackers exploit legitimacy of targets real social contacts 19

Outline Attacker(s) Email services Target(s) WUC Data Malware Social engineering How specialized is command and control? How sophisticated is social engineering? What are the most common attack vectors? Attack vectors Future work 20

Timeline of exploited vulnerabilities Time (years) Attacks exploit recent but disclosed vulnerabilities (no 0-days) 21

Detection rate (In)effectiveness of reactive security GMail Hotmail Yahoo! Fails to detect even old exploits 22

# malicious documents Impact of application-level isolation Acrobat X deploys isolation Time Significantly raises the bar 23

Future work Attacker(s) Defenses Target(s) Data Malware Social engineering Attack vectors Future work Generalize results Monitoring and attack attribution Defenses Detection of contact impersonation Dynamic analysis in controlled env. Spatio-temporal, OS-based isolation 24

Detecting contact impersonation in spear-phishing attacks Joint work with: Istemi Ekin Akkus, Cedric Gilbert, Peter Druschel

Do spam filters detect spoofed emails? Existing filters fail to detect spoofed contacts 26

Unilateral detection of contact impersonation in malicious emails A browser extension that leverages: Typo emails/names Authentication Writing style Switches to crypto signatures if both users support it Optionally uploads attachments for dynamic analysis 27

Experimental setup Incoming emails (testing set) Authorship verification (Writeprints w/ training set) Impersonated emails Legit emails 28

Experimental setup cont. Enron dataset Keep users with >= 4.5k words Emulate impersonated emails Verify authorship of emails >= 25 words Accuracy metrics Recall: Fraction of attacks detected Precision: Fraction of warnings corresponding to attacks What accuracy of authorship verification for email workload? 29

CDF of senders Can we verify that legitimate contact wrote email? Recall / precision rates We can verify authorship with high accuracy 30

Future work Attacker(s) Defenses Target(s) Data Malware Social engineering Attack vectors Future work Generalize results Monitoring and attack attribution Defenses Detection of contact impersonation Dynamic analysis in controlled env. Spatio-temporal, OS-based isolation 31

Take home messages Low-volume, socially engineered communications which entice specific targets into installing malware Malware: Same entities target corporations, political institutions, and NGOs Download dataset at slingshot.mpi-sws.org Social engineering: Topic, language, and senders manually tailored to targets Stylometry accurately detects contact impersonation Attack vectors: Recent but disclosed vulnerabilities that evade reactive defenses Data indicates isolation is effective in the wild 32

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information