Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
Malware Evasion: Why It WorksGuy RosefeltSecurity Product Marketing DirectorSangfor Technologies
Contents
Use Case
Takeaways
02
01
03
04
How to Fight Against AI-Attacks
Malware Evasions
PART 1 Malware Evasions
Contents
Using best-of-breed security devices but still getting infected by ransomware
Second wave or reoccurrence of breach or infection
Has Your Organization Experienced These Problems?
Hackers are using the newest technology available to attack your network and bypass your existing security system
How Could This Happen?
Types of Malware
Virus Trojans Ransomware Adware Spyware
Worms Keyloggers Fileless Malware Rootkits Botnet
Worms
Exploit KitBrute Force
Phishing Email
Malware Transmission Method
Malicious code embedded in attachment (e.g.: Locky, Petya
Variant)Personal PC
Brute force RDP/SSH/SMB/DB services (e.g.: .java,
Globelmposter variant)Servers with Remote Access
Vulnerability & Command Exploitation (WannaCry, Petya Variant)No specific target
Backlink, iframe & drive-by download (Eg: Cerber)Vulnerable Server
0-day Vulnerability Exploit
Variants of Malware Advanced Botnet
Advanced Evasion Techniques
Delaying Execution
Malware
Hardware Detection
CPU Detection
User Detection
Environment Detection
Malware Sandbox Evasion Techniques
Sandbox allocates a finite amount of time (usually only several minutes) for
each given analysis
Uses the “Sleep” or “NtDelayExecution”
Windows APIs
Take a timestamp, go to sleep, check
the timestamp upon waking up
Malware Sandbox Evasion Techniques
Delaying Execution
Mouse Cursor Position
File Count Screen Resolution
Running Tools Application/Window/ Process Count
Malware Sandbox Evasion Techniques
User Detection
DeepLocker - AI-Powered Concealment
3 Malicious Intent Concealment
Payload is fully encrypted concealinghow the final attack is executed.
2 Target Instance Concealment
If the target class is an individual, itdoes not reveal who it is looking for.
Does not reveal what kind of target it islooking for (e. g., person, organization).
1Target Class Concealment
DeepLocker
Typical DGA: randomly generated, and uncreadable to humans
rhpmt.ws ciscqq.wsqckjqqel.ws wotybgr.wsqqjyfit.ws dhlfqaegj.wsmcoenfeoy.ws lhtryk.ws
Variant 1: Joining words and random letters
speeh4ab5893940.mespeeh062e9c0b96.cloud
speeh062e9c0b96.vipspeehe34a33001b.cloud
Variant 2: Joining words
fallcity.ru strengthbright.netfiftytold.net verygrow.netfavorleft.ru callwear.net
wellthirteen.net picturestream.ru
DGA Characteristics:
1. Resolve to the same IP
2. >90% can't be resolved
3. Human unreadable
4. Single use
DGA Algorithm Techniques
Ransomware Infection: Hacker uses weaponized AI attacks to bypass security systems,build C&C connections with his server, automatically downloading ransomware executableprogram.
Business impact:
IT Assets Under Hacker Control: Hacker controls your assets for generating illegal profits(Cryptomining/DDoS as a Service, etc.)
Data Breach: Hacker splices sensitive words when generating domain names and sendsthe requests to his server.
The Impact of AI-Based Attacks
PART 2 How to Fight Against AI-Attacks
Contents
From The Normal Point Of View Use Baselines To Find
Anomalies
From The ThreatPoint Of View
Use Anomalies To Find Anomalies
From The LateralPoint Of View
Use Correlations To Find Anomalies
Some C&C domain names used by a virus family all resolve to the same IP address. We can identify the family based on this behavior.
The propagation behavior of variants from the same virus family will be similar.
Baseline server traffic to find anomalies that deviate from the baseline.
AL/ML Techniques
Use Baselines To Find Anomalies
Label A
Label B
Label C
A1. Host Label + Access Relationship A2. Vectorization A3. TFIDF A4. Anomaly Detection Based on
Isolation Forest A5. DBScan Host Cluster
Label A
Label B
B1. Host Label + Access Relationship
B2. Vectorization
B3. Cosine Similarity with History Behaviour Vector B4. Novelty Detection B5. Cosine Similarity with Host
B6. Gain the Lowest 10% of the Arithmetical Average
Normal Internet access
Abnormal Internet access
Use Anomalies To Find Anomalies
…
Ransomware PE file structure
The originalfeatures
(byte level)
IP、Ports, registry keys, assembly instructions, etc
Features training based on semantic
High level features (extract essence behavior)
Feature selectionhigh quality features(Extract the most
effective feature to determine whether it's a
malware )
Classification model (training/forecast)
…
…
file encryption, autostart
Result
Network connection test, file encryption, write to the registry, autostart
Dos MZ Header
DOS Stub
Image_ 0 optional_ Header
Section TableArray of Image_ Section_ Headers
Sections
PE File HeaderPE Signature
Data Directories
.idata
.rsrc
.data
.text
. src
Use Correlations To Find Anomalies
Cluster analysis is usually used for
pattern mining of unlabeled data, and
the clustering results require more
manual analysis to produce valuable
information
Classification learning of labeled data is generally divided into two stages:
• In the training stage, given a large amount of data with labels, a model of label classification is trained
• In the usage phase, input new data without label and the model outputs the predicted labels
For document detection, it is a black and white classification problem, which is very suitable to be solved by supervised learning
By combining low-level features to form more abstract high-level presentation attributes or features, the distributed features of the data are discovered. Using limited data with labels, find unknown threats associated with known threats. Usually can solve the problem of the following three categories:
• Clustering analysis
• Classification problem
• High-level feature extracting
Unsupervised Supervised Semi-supervised
Introduction for Three Types of Machine Learning
Why we can't only use signature-based technology?
• With the speed threats are evolving, we need AI technology to enhanced the ability to detect unknown threats
AI detect anomalies Quick detection by signatures
Confirmed malicious behavior Security event
Variant maliciousbehavior
Operation feedback
Security Analysis
Signature extraction and update
Data Analysis
AI detection model continuously evolving
A strong security systems should include both AI and signature-based technologies!
Why we do we still need signature-based technology?
• AI can't cover all cyber threats; actually a large numbers of threats still need signatures to detect them
• Most results for AI detection cannot be confirmed 100%, needing more resources for further investigation. Signature matches provide complete confirmation
[AI + Signature] Continuously Evolving Detection Engines
Scenarios Data Main Characteristic Algorithm Types Sangfor Products
DNS hidden tunnel DNS log The entropy of valid information in a domain name、access behavior Random forests supervised Cyber Command,
NGAF, Endpoint Secure
DGA domain name DNS log The entropy of valid information in a domain name、access behavior NLP、graph analysis supervised Cyber Command, NGAF, Endpoint
Secure
New malicious domain name DNS log The entropy of valid information in a domain name、access behavior NLP、Anomalies detection supervised
+ unsupervisedCyber Command, NGAF, Endpoint Secure
Botnet family variant tracking DNS log Host-domain name - resolve IP graph structure information graph analysis semi-
supervisedCyber Command, NGAF, Endpoint Secure
HTTPS C&C HTTPS log TLS Handshake/certificate /background flow characteristics Random forests supervised
+ unsupervised Cyber Command, NGAF
Encrypt RDP and SSH slow brute force
RDP log、SSH log Access frequency, login status characteristics Random forests supervised Cyber Command, NGAF, Endpoint
Secure
Website defacement web access log Syntactic features of web content NLP supervised Cyber Command, NGAF
Engine-Zero files anti-virus files Static file characteristics XGBOOST supervised Cyber Command, NGAF, Endpoint Secure
webshell HTTP log URL grammar characteristics, traffic behavior characteristics NLP supervised Cyber Command, NGAF
Abnormal outbound behavior session traffic behavior characteristics Anomalies detection unsupervised Cyber Command
Abnormal login behavior login log Login behavior characteristics Anomalies detection unsupervised Cyber Command
Attack path recovery multiple log multiple logs correlation characteristics Knowledge mapping unsupervised Cyber Command
AI vs. AI: Sample AI Detection Engines
Contents
PART 3 Use Case
Manufacturing
Point of entry:PC in the office
Apparent objectives:Exfiltrate data
Security Event:Organized APT attacks from Russia, using AI algorithm to identify sensitive data and generate domain names to send data.
Anomalous Activity Detected:Large numbers of DNS requests to ppxxu.ru (Russian domain name)
• With AI-driven attacks, there will be large number of
core data and source code exfiltration
• The malware automatically disguises itself as a system
file, records keystrokes and splices words together to
send data through DNS requests
IP DNS Request IP Destination IP Domain Name Requested Resolution
Core Data and Source Code Exfiltration
PART 4 Takeaways
Contents
Takeaways
Cybercriminals are using AI for more targeted and successful attacks
The best way to fight AI is with smarter AI
Deploy innovative AI to stay ahead of attackers
• Multiple & blended techniques
• Multi-dimensional analysis
• Leverage infinite cloud resources
• Identifying and exploiting 0-day
vulnerabilities
• Sophisticated APT evasion techniques
• Higher success rate for breaches
• Multi-stage AI engines
• Cloud sandbox & analysis
• Business risk aware
Next Weekly Security Webinar
365 Days Since Sangfor Launched Its Incident Response Service
Abstract: Sangfor Security Services will share some of
their cyber incident response use cases for your
education. They will also present statistics on how and
by who customers were attacked, as well as mitigation
strategies that could be used to combat the attacks.
1st December 2020 16:00 (GMT +8)
THANK YOUGuy RosefeltSecurity Product Marketing DirectorSangfor Technologies