Advanced Technologies vs. Advanced Threats › cybersec › 2019 › slides › 319 › A_TICC...Advanced Sandbox: Exploit Checker technology • Exploit Checker • Allows to determine

19-03-19

Advanced Technologies vs. Advanced Threats

Timur Biyachuev,

VP Threat Research

Kaspersky’s Threat Research Team: Facts About Us

«The malware research team has a well-earned reputation for rapid and accurate malware detection» Gartner

«As far as test results from the independent labs go, Kaspersky is utterly golden. It consistently receives top ratings from the major labs.»

PC Magazine

350+ threats analysts, developers, researchers and data scientists

Expert support and technologies for 30+ products and services

5+ Billions malware objects

2+ Petabytes of TI data

260+ patents

346,000 new malicious files detected every day 141,000 new spam letters detected every day

Anti-Malware Research

Content-Filtering Research

Technology Research

Whitelisting Lab

Data Science Lab

Software Security

Modern Threat Landscape

APT Landscape. KL Public Announcements

Stuxnet

Duqu

Gauss

Flame

miniFlame

NetTraveler

Miniduke

RedOctober

Icefog

Winnti

Kimsuky

TeamSpy

CosmicDuke

Darkhotel

Regin

Careto / The

Mask

Epic Turla

Energetic Bear /

Crouching Yeti

Wild

Neutron

Blue

Termite

Spring

Dragon

Desert

Falcons

Carbanak

Equation

Animal

Farm

Darkhotel

- part 2

MsnMM

Campaigns

Satellite

Turla

Hellsing

Sofacy

Naikon

Duqu 2.0

ProjectSauron

Saguaro

StrongPity

Lazarus

Lurk

Adwind

Metel

Ghoul

Fruity Armor

ScarCruft

Poseidon

GCMan

Danti

Dropping

Elephant

Moonlight

Maze

ATMitch

ShadowPad

BlackOasis

WhiteBear

Silence

WannaCry

Shamoon 2.0

ExPetr/NotPetya

BlueNoroff

StoneDrill

Olympic

DestroyerFF

Muddy

Water

Turla over

Sofacy

Apple

Jeus

Hades

Dark

Tequila

Octopus

Roaming

Mantis

Lucky

Mouse

VPN

Filter

Zebrocy

Ploutos

֍

֍

֍

֍

֍

֍

֍

֍

֍

֍

֍

֍

Advanced Threat Taxonomy

Attack

preparation

Delivery C&C Execution Lateral

movement

Damage &

silent leave

• gather data

• prepare strategy

• non-malware

• hidden

• encrypted

• new domain

• «gray domain»

• payload/command delivery

• hide inside normal activities

• steal credentials

• non violation of anything

• rapid

• silent

• no immediate damage

• hide the traces

• erase from logs

• leave a backdoor

Threat Landscape requires new approaches

Threat hunting Detection systems Prevention

systems

Prevent Detect Find

unknown evil

Advanced Prevention

Automatic Exploit Prevention

• Classical multilayered approach is not effective against modern threats

• Attacker has an advantage

• Our approach: decision, based on threat context

THREAT CONTEXT

Cloud data

Emulation data

ML-models

data

Behavior data

Beyond multi-layered approach

Signatures, masks and hashes

Classic detection routine

Cloud detection (KSN)

Heuristics based on execution logs

Automation Exploit Prevention

Deep learning utilizing execution logs

(BehavioralModel, prototype)

Heuristics based on emulation logs

(Binary and Script Emulator)

Machine learning models

Beyond multi-layered approach

Kaspersky multilayered machine learning

Behavioral

by execution logs

ML Cloud requests w/o a model on client

Behavioral Model Deep learning utilizing execution logs

Astraea Expert system for metadata aggregation

Decision tree ensemble Built by gradient boosting technique

Behavioral by emulation logs

Cure and detection

routines

Locality-Sensitive Hashing Built by orthogonal projection learning

ML model

Decision tree ensemble

Locality-sensitive hashes

Adaptive Anomalies Control

Advanced Detection

Targeted Attack Analyzer. How it works?

Detection of suspicious activities

External

Web Server

Spear-phishing

Machine 1

KATA

Well-known executable or IP?

KES: host downloaded WinPE executable

from IP


External

Web Server

Spear-phishing

Machine 1

KATA


from IP

Unpopular executable or IP, host 1


Machine 1

KATA

KES: suspicious service

is created

Machine 2

Unpopular executable or IP, host 1 Suspicious service: 1 host


Machine 1

KATA

Suspicious service: 1 host Unpopular executable or IP, host 1

Machine 2 Machine 3


is created

Suspicious service: hosts 2


Machine 1

KATA

Suspicious service: 2 hosts Unpopular executable or IP, host 1

Machine 2 Machine 3


is created

Suspicious service: hosts 3 Suspicious service: 3 hosts

Machine 4


Machine 1

KATA

Machine 2 Machine 3

Unpopular executable or IP, host 1 Suspicious service: 3 hosts

Machine 4 Unpopular executable or IP, host 1 Suspicious service: 3 hosts Trojan-banker.Carbanak.b


External

Web Server

Spear-phishing

Machine 1

KATA

Well-known executable or IP?


from IP


External

Web Server

Spear-phishing

Machine 1

KATA


from IP

Unpopular executable or IP, host 1


Machine 1

KATA

KES: Powershell in service

Machine 2

Unpopular executable or IP, host 1 Suspicious service: powershell inside


Machine 1

KATA

Machine 2

Suspicious service: powershell inside Unpopular executable or IP, host 1

Web Server


Machine 1

KATA

TAA Agent: Connection to IP from PowerShell

Machine 2


Web Server

Well-known IP? Unpopular IP


Machine 1

KATA

Machine 2

Web Server


Unpopular IP Trojan-banker.Carbanak.c


Unpopular IP

Advanced Sandbox. How it works

kaspersky.com/TechnoWiki

10+ patents

https://www.kaspersky.com/enterprise-security/wiki-section/homehttps://www.kaspersky.com/enterprise-security/wiki-section/home

Advanced Sandbox: Adaptive sandboxing technologies

• Adaptive Sandboxing

• Allows you to control the behavior of the sample during execution in isolated environment

• Case study: Purgen

• Uses anti-evasion techniques first 15 minutes of execution

• Case study: Upatre

• Checks uptime of the system

• Checks the environment

Advanced Sandbox: Exploit Checker technology

• Exploit Checker

• Allows to determine anomalies – exceptions, allocation of memory and transfer it to the executable,

etc. The combination of events is the detection of a possible exploit

• Case study: Microcin

• During the pilot, we discovered an exploit that was detected by Exploit Checker

• Case study: Vulnerability in game driver

• This driver could be sent code that will be executed in kernel mode

https://securelist.com/a-simple-example-of-a-complex-cyberattack/82636/https://securelist.com/elevation-of-privileges-in-namco-driver/83707/

Threat Hunting

Inside Cloud

Kaspersky Technowiki: Advanced Cybersecurity technologies

kaspersky.com/TechnoWiki

https://www.kaspersky.com/enterprise-security/wiki-section/homehttps://www.kaspersky.com/enterprise-security/wiki-section/home

结束! Конец, the end, das ende, la fin

Kaspersky Lab HQ

39A/3 Leningradskoe Shosse

Moscow, 125212, Russian Federation

Tel: +7 (495) 797-8700

www.kaspersky.com

Advanced Technologies vs. Advanced Threats › cybersec › 2019 › slides › 319 › A_TICC...Advanced Sandbox: Exploit Checker technology • Exploit Checker • Allows to determine

Documents