malware economics and its implication to anti-malware ... · malware economics and its implication...

13
Malware Economics and its Implication to Anti-Malware Situational Awareness Arun Lakhotia, Univ of Louisiana-Lafayette Vivek Notani, Cythereal Charles LeDoux, Cythereal Presented at CyberSA, June 11-12, 2018 Glasgow 6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 1

Upload: others

Post on 07-Jul-2020

24 views

Category:

Documents


0 download

TRANSCRIPT

Page 1: Malware Economics and its Implication to Anti-Malware ... · Malware Economics and its Implication to Anti-Malware Situational Awareness Arun Lakhotia, Univ of Louisiana-Lafayette

Malware Economics and its Implication to

Anti-Malware Situational AwarenessArun Lakhotia, Univ of Louisiana-Lafayette

Vivek Notani, Cythereal

Charles LeDoux, Cythereal

Presented at CyberSA, June 11-12, 2018 Glasgow

6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 1

Page 2: Malware Economics and its Implication to Anti-Malware ... · Malware Economics and its Implication to Anti-Malware Situational Awareness Arun Lakhotia, Univ of Louisiana-Lafayette

Motivation: Attacker’s try, try, and try

Can we gain situational awareness from attacker’s attempts?

6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 2

Page 3: Malware Economics and its Implication to Anti-Malware ... · Malware Economics and its Implication to Anti-Malware Situational Awareness Arun Lakhotia, Univ of Louisiana-Lafayette

Try, Try, and Try done using reuse and variants

“Last year's most common malware, Conficker, was based on a 7-year-old vulnerability”.

- Gartner Predicts 2017- Threat and Vulnerabilities

“Over 90% of all malware attacks are by unique variants”

- Webroot

6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 3

Page 4: Malware Economics and its Implication to Anti-Malware ... · Malware Economics and its Implication to Anti-Malware Situational Awareness Arun Lakhotia, Univ of Louisiana-Lafayette

Malware economics drive reuse and variants

6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 4

Page 5: Malware Economics and its Implication to Anti-Malware ... · Malware Economics and its Implication to Anti-Malware Situational Awareness Arun Lakhotia, Univ of Louisiana-Lafayette

Key Idea: Detect repeated attack by shared code

6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 5

Page 6: Malware Economics and its Implication to Anti-Malware ... · Malware Economics and its Implication to Anti-Malware Situational Awareness Arun Lakhotia, Univ of Louisiana-Lafayette

Cythereal MAGIC: Search engine for malware

6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 6

Page 7: Malware Economics and its Implication to Anti-Malware ... · Malware Economics and its Implication to Anti-Malware Situational Awareness Arun Lakhotia, Univ of Louisiana-Lafayette

Malware data show very high sharing of code

6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 7

Page 8: Malware Economics and its Implication to Anti-Malware ... · Malware Economics and its Implication to Anti-Malware Situational Awareness Arun Lakhotia, Univ of Louisiana-Lafayette

Case Study

• Financial Services company profile• 120,000 servers, 60 countries

• Have in-house, trained staff in malware analysis

• Separate Security Op and Threat Investigation Op

• Data• Selection of 463 Binaries

• VirusTotal first seen: Jun 2006 to April 2014• Unseen: 18 binaries

• Size: 95 percentile – 700Kb

6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 8

Page 9: Malware Economics and its Implication to Anti-Malware ... · Malware Economics and its Implication to Anti-Malware Situational Awareness Arun Lakhotia, Univ of Louisiana-Lafayette

Finding: High variations in AV Detection rate

6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 9

Page 10: Malware Economics and its Implication to Anti-Malware ... · Malware Economics and its Implication to Anti-Malware Situational Awareness Arun Lakhotia, Univ of Louisiana-Lafayette

Finding: Clusters of malware with shared code

6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 10

Page 11: Malware Economics and its Implication to Anti-Malware ... · Malware Economics and its Implication to Anti-Malware Situational Awareness Arun Lakhotia, Univ of Louisiana-Lafayette

Finding: Different methods to breach security

6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 11

Page 12: Malware Economics and its Implication to Anti-Malware ... · Malware Economics and its Implication to Anti-Malware Situational Awareness Arun Lakhotia, Univ of Louisiana-Lafayette

Results validated using BinDiff

6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 12

Page 13: Malware Economics and its Implication to Anti-Malware ... · Malware Economics and its Implication to Anti-Malware Situational Awareness Arun Lakhotia, Univ of Louisiana-Lafayette

Conclusions

• Advanced attackers repeatedly probe the defense, until they succeed

• Repeated attempts are performed using malware variants

• Sharing of code can provide indication of repeated attempts

• Cythereal MAGIC provides capability to search/cluster malware based on shared code

• Case study affirms that clustering malware variants can provide situational awareness of the threat environment.

6/22/2018 (C) 2018 Lakhotia, Notani, & Ledoux. 13