The role of threat intelligence in combating against targeted malware attacks Boldizsár Bencsáth Budapest University of Technology and Economics Department of Telecommunications Laboratory of Cryptography and System Security (CrySyS Lab) www.crysys.hu joint work with Levente Buttyán, Gábor Pék, and Márk Félegyházi
25
Embed
The role of threat intelligence in combating against targeted malware attacks Boldizsár Bencsáth Budapest University of Technology and Economics Department.
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
The role of threat intelligence in combating against targeted malware
attacksBoldizsár Bencsáth
Budapest University of Technology and EconomicsDepartment of Telecommunications
Laboratory of Cryptography and System Security (CrySyS Lab)www.crysys.hu
joint work with Levente Buttyán, Gábor Pék, and Márk Félegyházi
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
2
CrySyS Lab - activities
09/2011 discovery, naming, and first analysis of Duqu malware
05/2012 published detailed technical analysis on Flame malware
02/2013 Together with Kaspersky Labs, we published information on the MiniDuke malware
03/2013 After the joint work with NSA HUN, we published results of investigations on the TeamSpy campaign
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
Miniduke
FireEye found a document with 0-day PDF exploit on 12/02/2013
PDF documents that use the same 0-day vulnerability, but the different malware module were found
The documents were suspicious – we expected that the attackers use them against high-profile targets
~60 victim IP addresses found, many high profile targets in governments and organizations like even NATO
Investigations were finished within a week, we disclosed all relevant information about the malware and the victims to the appropriate organizations
Not the malware, but the attack campaign of main interest
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
TeamSpy
In March 2013 Hungarian National Security Authority (NSA HUN) asked for our support to further work on an already identified attack
We obtained and analyzed many new malware samples, investigated a number of C&C servers and obtained victim lists
There are multiple waves of attack campaigns done by some group in the last 8 years
Two main malware technologies: One “standard” proprietary botnet client, one based on TeamViewer abuse
Main goal of the attackers: targeted attacks to steal information Traces show that attackers were active from 2004 Some of their tools were already known for years by A/V companies,
but the whole story was never identified (missing threat intelligence)
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
5
Threat Intelligence
the process of discovering malicious activity – through internal monitoring tools or external services that publish information about detected incidents – before an attack succeeds– situational awareness
to understand „what is going on”, technical analysis just one point in that process
Information is needed from as many sources as possible One finding might open the way for another (cyclic
approach) As long the attack is not fully understood, the work done
should not be exposed (too much) – don’t leak info towards the attackers
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
6
Questions of threat intelligence
What is the threat we are facing?– What tools are used by the attackers?– What are the possible capabilities, resources of the attacker?– What is the goal of the attacker?– Attribution “who is the attacker” is just a way to understand it
better
What is the risk at our side?– What are our assets that need to be protected?– What if the attack continues?
What should be the response?– What is the most efficient way to handle the problem?– How to notify others, what to share?– What could happen after a response on the attack?
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
7
Threat intelligence process - a model
Analyze
Act
Decide
DigCollect
Info
qu
ery
inte
llige
ncecom
mand
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
8
Threat intelligence gathering - sources
internal monitoring tools– AV (anti-virus) products– IDSs (Intrusion Detection Systems) and SIEMs (Security Incident
and Event Management systems)– log analysis tools– DNS monitoring– honeypots
external services – run by various security organizations, projects, vendors, universities,
CERTs, non-profit initiatives, or even enthusiastic individuals – public, closed, or commercial access– examples: collection of malware samples, malicious domains, IP
blacklists
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
9
A case study for threat intelligence
5 Hungarian banks were attacked by specific Zeus P2P botnet based attack from Dec/2012
Started with a phishing email and an attachment executable
Main attack: modified browser behavior to transfer money from bank account of the user
Main attack scripts and botnet was updated multiple times
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
10
First steps
Collect samples from victims Run samples in sandbox environment
– First within an isolated computer– Network communications shows UDP traffic and later domain flux as
backup mechanism– You can consider it is P2P Zeus
For the first glance Virus Total gives something like 2/46 with to “generic.Trojan” markers
After some hour is will give you something like 30/46 if the attack is wide scale
If you still see 2/46 then you are in trouble: it can be a targeted attack (APT)
If you were the first uploaded the sample to VT, you revealed information
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
13
Zeus contd.
It was found (and even published in blog sites) that the malware downloads update from a hacked web page
www.felegond-jatektar.hu/lego-logo/biz.exe The site was running for weeks and nobody took steps to
remove the content The malware installed some new versions, for some, only
the configuration block was different (e.g. peers)
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
14
Difference is only at the end of the file
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
15
Zeus Contd.
Later new malware components were installed to sandboxed computers
Some new modules try to communicate with two C&C servers, one in Netherlands and one in Italy (95.141.32.214)
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
16
Components
Main communication module is written in Delphi It uses a standard remote access SDK “RealThinClient” The malware stores components (executable files!) in the
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
23
Zeus - conclusions
It is not just “Zeus”, it’s a campaign A new related campaign was discovered (RCApp) New malware strain uncovered with new tricks Several corresponding samples can be investigated Hundreds of victims were identified Lot of questions are still unanswered Work in progress
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu
24
Conclusions – threat intelligence
Threat intelligence is more than finding and analyzing malware
Lot of information is available, but the threat intelligence is still a hard task
Some tasks can be automated, but many cannot – scalability problems
Hard task to judge seriousness Information sharing is highly needed Threat intelligence is very important for the security of our
networks
Laboratory of Cryptography and System SecurityCrySyS Adat- és Rendszerbiztonság Laboratóriumwww.crysys.hu