6/15/2016 (C) 2016 CYTHEREAL 1
Targeting Advanced Cyber Attacks
Early Warning System for
Targeted Attack
using Malware Intelligence
Speaker:
Dr. Arun Lakhotia
Professor of Computer Science
16 Years in Malware Research
Sponsored by:
US Department of Defense
DARPA, Air Force, Army
6/15/2016 (C) 2016 CYTHEREAL 2
Founder, CEO
Mission: Targeting Advanced Targeted Attacks
USP:
Automated Malware Analytics
My 15 minutes
2003-2007: CajunBot
6/15/2016 (C) 2016 CYTHEREAL 3
2003
2005
2007
My second 15 minutes
2010: Founded Lafayette
Holi
6/15/2016 (C) 2016 CYTHEREAL 4
Current Security
Industry Segmentation
6/15/2016 (C) 2016 CYTHEREAL 5
Prevent Breachusing
Indicators ofAttack
Detect Breachusing
Indicators ofCompromise
Corporate Boundary
EPP EDR
Quiz?
6/15/2016 (C) 2016 CYTHEREAL 6
Can we leverageIndicators of
Attackto PREDICT
potential breach?
Corporate Boundary
Hint
6/15/2016 (C) 2016 CYTHEREAL 7
Defender mustsucceed 99 times
Attacker onlyonce
Attacker mustTRY 99 times
before succeedingonce
MAXIM CORROLLARY
Corporate Boundary
Targeted Attacks are
multi-staged
6/15/2016 (C) 2016 CYTHEREAL 8
InitialCompromise
EstablishFoothold
EscalatePrivileges
MoveLaterally
StealData
Mandiant ™ Targeted Attack Cycle
Targeted Attacks
Require Persistence
6/15/2016 (C) 2016 CYTHEREAL 9
InitialCompromise
EstablishFoothold
EscalatePrivileges
MoveLaterally
StealData
Mandiant ™ Targeted Attack Cycle
Attacker must try, and try, and try
Question?
6/15/2016 (C) 2016 CYTHEREAL 10
InitialCompromise
EstablishFoothold
EscalatePrivileges
MoveLaterally
StealData
Mandiant ™ Targeted Attack Cycle
How can we detectpersistent attempts?
Malware (still) plays a
dominant role in data
breaches
6/15/2016 (C) 2016 CYTHEREAL 11
phishes delivered via
Verizon Data Breach Report 2016
72%
85% Include malware
Persistence involves
beating AV defenses
Inundate the system
With Machine Generated Variants
ENTERPRSE
6/15/2016 (C) 2016 CYTHEREAL 12
Current Limitation: Each
Malware is Independent
6/15/2016 (C) 2016 CYTHEREAL 13
Trojan.Win.5265
KeyLog.Win.HAB
BadThing.abac
No connection between them
Cythereal’s MAGIC:
Connect malware
6/15/2016 (C) 2016 CYTHEREAL 14
Connected using
shared “Genome”
Patent Pending
Research Sponsored by:DARPA Cyber Genome program
DEMOmagic.cythereal.com
6/15/2016 (C) 2016 CYTHEREAL 15
“Google”for Malware
Case Study: Discover
Stages of Attack
6/15/2016 (C) 2016 CYTHEREAL 16
Sep
DecJu
l
Au
g
Au
g
Oct
Jan
Feb
Adware Backdoor Keylogger
Cythereal’s Vision
6/15/2016 (C) 2016 CYTHEREAL 17
MAGIC Threat Intelligence Exchange
Hub: Global Intelligence
Indicators Exchanged: Malware Genome
Spokes: Local Intelligence
Cythereal’s MAGIC
18
Learn from Adversary’s Failures
Turn Anti-Virus into
an Intelligence
Gathering Tool
Connect Malware to Connect Attacks
6/15/2016 (C) 2016 CYTHEREAL
How can you get it?
19
Giving away
FIVE Free One Year Subscription
magic.cythereal.com
Register on:
6/15/2016 (C) 2016 CYTHEREAL